CCNA Routing and Switching: Scaling Networks Practice and Study Guide ICND2 200-101 (Instructor's Version)

CCNA Routing and Switching Practice and Study Guide: Exercises, Activities, and Scenarios to Prepare for the ICND2 (200-101) Certification Exam Instructor’s Answer Key Allan Johnson

Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA

instructor.indb i

3/12/14 7:51 AM

ii

CCNA Routing and Switching Practice and Study Guide

CCNA Routing and Switching Practice and Study Guide: Exercises, Activities, and Scenarios to Prepare for the ICND2 (200-101) Certification Exam Instructor’s Answer Key

Publisher Paul Boger

Allan Johnson

Executive Editor Mary Beth Ray

Associate Publisher Dave Dusthimer Business Operation Manager, Cisco Press Jan Cornelssen

Copyright© 2014 Cisco Systems, Inc. Cisco Press logo is a trademark of Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing April 2014 ISBN-13: 978-0-13-381341-8 ISBN-10: 0-13-381341-X

Warning and Disclaimer This book is designed to provide information about networking. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.

Managing Editor Sandra Schroeder Senior Development Editor Christopher Cleveland Project Editor Mandie Frank Copy Editor Keith Cline Technical Editor Steve Stiles Editorial Assistant Vanessa Evans Designer Mark Shirar Composition Tricia Bronkella Proofreader Sarah Kearns

The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc.

instructor.indb ii

3/12/14 7:51 AM

iii

Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc. cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.

Special Sales For information about buying this title in bulk quantities, or for special sales opportunities (which may include electronic versions; custom cover designs; and content particular to your business, training goals, marketing focus, or branding interests), please contact our corporate sales department at [email protected] or (800) 382-3419. For government sales inquiries, please contact [email protected]. For questions about sales outside the U.S., please contact [email protected].

Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at [email protected]. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance.

8

instructor.indb iii

3/12/14 7:51 AM

iv


About the Author Allan Johnson entered the academic world in 1999 after 10 years as a business owner/operator to dedicate his efforts to his passion for teaching. He holds both an MBA and an M.Ed in Occupational Training and Development. He is an information technology instructor at Del Mar College in Corpus Christi, Texas. In 2003, Allan began to commit much of his time and energy to the CCNA Instructional Support Team, providing services to Networking Academy instructors worldwide and creating training materials. He now works full time for Cisco Networking Academy as a Learning Systems Developer.

instructor.indb iv

3/12/14 7:51 AM

v

About the Technical Reviewer Steve Stiles is a Cisco Network Academy Instructor for Rhodes State College and a Cisco Certified Instructor Trainer, having earned CCNA Security and CCNP level certifications. He was the recipient of the 2012 Outstanding Teacher of the Year by the Ohio Association of Two-Year Colleges and co-recipient for the Outstanding Faculty of the Year at Rhodes State College.

instructor.indb v

3/12/14 7:51 AM

vi


Dedication For my wife, Becky. Without the sacrifices you made during the project, this work would not have come to fruition. Thank you providing me the comfort and resting place only you can give. —Allan Johnson

instructor.indb vi

3/12/14 7:51 AM

vii

Acknowledgments When I began to think of whom I would like to have as a technical editor for this work, Steve Stiles immediately came to mind. With his instructor and industry background, and his excellent work building activities for the new Cisco Networking Academy curriculum, he was an obvious choice. Thankfully, when Mary Beth Ray contacted him, he was willing and able to do the arduous review work necessary to make sure that you get a book that is both technically accurate and unambiguous. The Cisco Network Academy authors for the online curriculum and series of Companion Guides take the reader deeper, past the CCENT exam topics, with the ultimate goal of not only preparing the student for CCENT certification, but for more advanced college-level technology courses and degrees, as well. Thank you especially to Amy Gerrie and her team of authors— Rick Graziani, Wayne Lewis, and Bob Vachon—for their excellent treatment of the material; it is reflected throughout this book. Mary Beth Rey, Executive Editor, you amaze me with your ability to juggle multiple projects at once, steering each from beginning to end. I can always count on you to make the tough decisions. This is my seventh project with Christopher Cleveland as development editor. His dedication to perfection pays dividends in countless, unseen ways. Thank you again, Chris, for providing me with much-needed guidance and support. This book could not be a reality without your persistence.

instructor.indb vii

3/12/14 7:51 AM

viii


Contents at a Glance Introduction

xvi

Part I: Scaling Networks Chapter 1

Introduction to Scaling Networks

1

Chapter 2

LAN Redundancy

13

Chapter 3

Link Aggregation

31

Chapter 4

Wireless LANs

Chapter 5

Adjust and Troubleshoot Single-Area OSPF

Chapter 6

Multiarea OSPF

Chapter 7

EIGRP 87

Chapter 8

EIGRP Advanced Configurations and Troubleshooting

Chapter 9

IOS Images and Licensing

41 57

77

109

127

Part II: Connecting Networks

instructor.indb viii

Chapter 10

Hierarchical Network Design

137

Chapter 11

Connecting to the WAN

Chapter 12

Point-to-Point Connections

Chapter 13

Frame Relay

Chapter 14

Network Address Translation for IPv4

Chapter 15

Broadband Solutions

Chapter 16

Securing Site-to-Site Connectivity

Chapter 17

Monitoring the Network

Chapter 18

Troubleshooting the Network

147 155

171 181

193 203

213 223

3/12/14 7:51 AM

ix

Contents Introduction

xvi

Part I: Scaling Networks Chapter 1

Introduction to Scaling Networks Implementing a Network Design

2


2

Identify Scalability Terminology Selecting Network Devices

6

7

Selecting Switch Hardware

7

Selecting Router Hardware

8

Managing Devices

1

8

Basic Router Configuration Review Basic Router Verification Review

10

Basic Switch Configuration Review Basic Switch Verification Review Chapter 2

LAN Redundancy

10

11

13

Spanning-Tree Concepts

14

Draw a Redundant Topology Purpose of Spanning Tree

14

15

Spanning-Tree Operation

15

Identify the 802.1D Port Roles

17

Varieties of Spanning Tree Protocols

Comparing the STP Varieties PVST+ Operation

9

20

20

21

Rapid PVST+ Operation

22

Spanning-Tree Configuration

23

PVST+ and Rapid PVST+ Configuration First Hop Redundancy Protocols

Identify FHRP Terminology Identify the Type of FHRP

23

26

27 28

HSRP and GLBP Configuration and Verification Chapter 3

Link Aggregation

31

Link Aggregation Concepts

EtherChannel Advantages EtherChannel Operation

instructor.indb ix

28

32

32 32

3/12/14 7:51 AM

x


Link Aggregation Configuration

Configuring EtherChannel

33

34

EtherChannel Configuration Scenario 1

34


34


35

Verifying and Troubleshooting EtherChannel Chapter 4

Wireless LANs

41

Wireless LAN Concepts

42

Identify Wireless Technologies

42

WLANs Components and Topologies Wireless LAN Operations

45

Wireless Media Contention Associating with an AP

48

50

Channel Management Concepts Wireless LAN Security

44

45

Label the 802.11 Frame

52

53

WLAN Security Terminology

53

Identify the WLAN Security Characteristics Wireless LAN Configuration

Troubleshooting WLAN Issues

54

55

Adjust and Troubleshoot Single-Area OSPF Advanced Single-Area OSPF Configurations

58

Single-Area OSPF Configuration Review

58

Configuring Single-Area OSPFv2 Verifying Single-Area OSPFv2 Verifying Single-Area OSPFv3

57

58

59

Configuring Single-Area OSPFv3 Identify Network Types

54

54

Configuring WLAN Routers and Clients

Chapter 5

35

59

61

62

OSPF and Multi-Access Networks

63

OSPF and Multi-Access Networks Completion Exercise DR/BDR Election Exercise

65

Redistributing an OSPF Default Route Exercise OSPFv2 Default Route Redistribution

67

OSPFv3 Default Route Redistribution

68

Fine-Tuning OSPF Interfaces

67

69

Securing OSPFv2 with MD5 Authentication

69

Troubleshooting Single-Area OSPF Implementations

OSPF Adjacency Issues

instructor.indb x

63

71

71

Identify OSPFv2 Troubleshooting Commands

71

Identify OSPFv3 Troubleshooting Commands

74

3/12/14 7:51 AM

xi

Chapter 6

Multiarea OSPF

77

Multiarea OSPF Operation

78

Multiarea OSPF Terminology and Concepts Multiarea OSPF LSA Operation

79

OSPF Routing Table and Types of Routes Configuring Multiarea OSPF

78 79

80

Configuring Multiarea OSPF

80

Configuring Route Summarization for Multiarea OSPFv2 Verifying Multiarea OSPF Chapter 7

EIGRP 87 Characteristics of EIGRP

88

Describe Basic EIGRP Features

88

Identify and Describe EIGRP Packet Types

88

Identify Elements of the EIGRP Message Formats Configuring EIGRP for IPv4

Verifying EIGRP with IPv4 Operation of EIGRP

94

97

99

EIGRP Metric Concepts

99

DUAL Concepts Exercise

100

DUAL FSM Completion Exercise Configuring EIGRP for IPv6

102

104

Comparing EIGRP for IPv4 and EIGRP for IPv6 Configuring and Verifying EIGRP for IPv6

104

105

EIGRP Advanced Configurations and Troubleshooting Advanced EIGRP Configurations

Automatic Summarization Manual Summarization

110

110

IPv4 Manual Summarization

113

IPv6 Manual Summarization

115

116

Fine-Tuning EIGRP Interfaces

118

Securing EIGRP Routing Updates Troubleshoot EIGRP

109

112

Default Route Propagation

120

121

Commands for Troubleshooting EIGRP Troubleshoot EIGRP Connectivity Issues

instructor.indb xi

89

94

Configuring EIGRP with IPv4

Chapter 8

83

85

Connectivity Issue #1

122


123


123

121 122

3/12/14 7:51 AM

xii


Chapter 9

IOS Images and Licensing Managing IOS System Files

127 128

IOS Families, Trains, and Naming Conventions Backing Up Cisco IOS Images IOS Licensing

128

131

132

Software Licensing

132

License Verification and Management

133

Part II: Connecting Networks Chapter 10


137

Hierarchical Network Design Overview

138

Enterprise Network Campus Design

138


138

Cisco Enterprise Architecture

139

Modular Network Design

139

Cisco Enterprise Architecture Model Evolving Network Architectures

144

Cisco Enterprise Architectures

144

Emerging Network Architectures Chapter 11


140

144

147

WAN Technologies Overview

148

Network Types and Their Evolving WAN Needs WAN Operations and Terminology Selecting a WAN Technology

149

151

Varieties of WAN Link Connections

151

Private and Public WAN Access Options Chapter 12


155

Serial Point-to-Point Overview

156

Serial Communications WAN Protocols

156 158

HDLC Configuration and Troubleshooting Troubleshooting Serial Interfaces

instructor.indb xii

159

159

160

PPP Components PPP Sessions

152

158

HDLC Encapsulation

PPP Operation

148

160

162

3/12/14 7:51 AM

xiii

Configure PPP

165

Basic PPP Configuration with Options PPP Authentication

167

PAP Configuration

168

CHAP Configuration

168

Troubleshoot WAN Connectivity

Chapter 13

Frame Relay

165

168

171

Introduction to Frame Relay

172

Frame Relay Concepts and Terminology Frame Relay Operation Configure Frame Relay

173

176

Configure Basic Frame Relay Configure Subinterfaces Troubleshoot Connectivity

Chapter 14

176

177 178

Network Address Translation for IPv4 NAT Operation

Configuring NAT

181

183

Configuring Static NAT

183

Configuring Dynamic NAT

184

Configuring Port Address Translation A Word About Port Forwarding Configuring NAT and IPv6 Troubleshooting NAT Broadband Solutions Teleworking

181

181

NAT Characteristics

Chapter 15

172

185

189

189

190 193

194

Benefits of Teleworking Costs of Teleworking

194

194

Business Requirements for Teleworker Services Comparing Broadband Solutions

Cable DSL

195

195 197

Broadband Wireless

199

Selecting Broadband Solutions Configuring xDSL Connectivity

PPPoE Overview

200

200

200

Configuring PPPoE

instructor.indb xiii

194

201

3/12/14 7:51 AM

xiv


Chapter 16

Securing Site-to-Site Connectivity VPNs

203

204

Fundamentals of VPNs Types of VPNs

204

204

Site-to-Site GRE Tunnels

205

Fundamentals of Generic Routing Encapsulation Configuring GRE Tunnels Introducing IPsec

206

208

Internet Protocol Security IPsec Framework Remote Access

208

208

210

Remote-Access VPN Solutions IPsec Remote-Access VPNs Chapter 17

Monitoring the Network Syslog

210

211

213

214

Syslog Operation

214

Configuring Syslog SNMP

205

215

215

SNMP Operation

215

Configuring SNMP

218

NetFlow 219

NetFlow Operation

220

Configuring NetFlow Chapter 18

220


223

Troubleshooting with a Systematic Approach

Network Documentation

224

224

Troubleshooting Process and Methodologies Network Troubleshooting

230

Troubleshooting Tools

231

Network Troubleshooting and IP Connectivity

instructor.indb xiv

227

232

3/12/14 7:51 AM

xv

Icons Used in This Book DSU/CSU

Router

Bridge

Hub

DSU/CSU

Catalyst Switch

Multilayer Switch

ATM Switch

ISDN/Frame Relay Switch

Communication Server

Gateway

Access Server

Command Syntax Conventions The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows:

instructor.indb xv

■

Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command).

■

Italics indicate arguments for which you supply actual values.

■

Vertical bars (|) separate alternative, mutually exclusive elements.

■

Square brackets [ ] indicate optional elements.

■

Braces { } indicate a required choice.

■

Braces within brackets [{ }] indicate a required choice within an optional element.

3/12/14 7:51 AM

xvi


Introduction The purpose of this book is to provide you with an extra resource for studying the exam topics of the Interconnecting Cisco Networking Devices Part 2 (ICND2) exam that leads to Cisco Certified Networking Associate (CCNA) certification. This book maps to the third and fourth Cisco Networking Academy courses in the CCNA Routing and Switching curricula: Scaling Networks (SN) and Connecting Networks (CN). Ideally, the reader will have completed the first two courses: Introduction to Networks (ITN) and Routing and Switching Essentials (RSE). SN continues where RSE left off, taking the student deeper into the architecture, components, and operations of routers and switches in a large and complex network. Successfully completing this course means that you should be able to configure and troubleshoot routers and switches and resolve common issues with OSPF, EIGRP, STP, and VTP in both IPv4 and IPv6 networks. CN pulls everything from the first three courses together as the student learns the WAN technologies and network services required by converged applications in a complex network. Successfully completing this course means that you should be able to configure and troubleshoot network devices and resolve common WAN issues and implement IPsec and virtual private network (VPN) operations in a complex network. To learn more about CCNA Routing and Switching courses and to find an Academy near you, visit http://www.netacad.com. However, if you are not an Academy student but would like to benefit from the extensive authoring done for these courses, you can buy any or all of CCNA Routing and Switching Companion Guides (CG) and Lab Manuals (LM) of the Academy’s popular online curriculum. Although you will not have access to the Packet Tracer network simulator software, you will have access to the tireless work of an outstanding team of Cisco Academy instructors dedicated to providing students with comprehensive and engaging CCNA Routing and Switching preparation course material. The titles and ISBNs for the first two courses of the CCNA Routing and Switching CGs and LMs are as follows: ■

Scaling Networks Companion Guide (ISBN: 9781587133282)

■

Scaling Networks Lab Manual (ISBN: 9781587133251)

■

Connecting Networks Companion Guide (ISBN: 9781587133329)

■

Connecting Networks Lab Manual (ISBN: 9781587133312)

Goals and Methods The most important goal of this book is to help you pass the 200-101 Interconnecting Cisco Networking Devices Part 2 (ICND2) exam, which is associated with the Cisco Certified Network Associate (CCNA) certification. Passing the CCNA exam means that you have the knowledge and skills required to successfully install, operate, and troubleshoot a small branch office network. You can view the detailed exam topics any time at http://learningnetwork.cisco.com. They are divided into five broad categories:

instructor.indb xvi

■

LAN Switching Technologies

■

IP Routing Technologies

■

IP Services

■

Troubleshooting

■

WAN Technologies

3/12/14 7:51 AM

xvii

This book offers exercises that help you learn the concepts, configurations, and troubleshooting skills crucial to your success as a CCNA exam candidate. Each chapter differs slightly and includes some or all of the following types of practice: ■

Vocabulary-matching exercises

■

Concept question exercises

■

Skill-building activities and scenarios

■

Configuration scenarios

■

Troubleshooting scenarios

Audience for This Book This book’s main audience is anyone taking the CCNA Routing and Switching courses of the Cisco Networking Academy curriculum. Many Academies use this Practice Study Guide as a required tool in the course, whereas other Academies recommend the Practice Study Guide as an additional resource to prepare for class exams and the CCNA certification. The secondary audiences for this book include people taking CCNA-related classes from professional training organizations. This book can also be used for college- and university-level networking courses, and by anyone wanting to gain a detailed understanding of INCD2 routing and switching concepts.

How This Book Is Organized Because the content of the Scaling Networks Companion Guide, the Connecting Networks Companion Guide, and the online curriculum is sequential, you should work through this Practice and Study Guide in order beginning with Chapter 1. The book covers the major topic headings in the same sequence as the online curriculum. This book has 18 chapters, their names the same as the online course chapters. However, the numbering is sequential in this book, progressing from Chapter 1 to Chapter 18. The online curriculum starts over at Chapter 1 in the Connecting Networks course. Most of the configuration chapters use a single topology where appropriate. This allows for better continuity and easier understanding of routing and switching commands, operations, and outputs. However, the topology differs from the one used in the online curriculum and the Companion Guide. A different topology affords you the opportunity to practice your knowledge and skills without just simply recording the information you find in the text. Packet Tracer Activity

Note: Throughout the book, you will find references to Packet Tracer and Lab activities. These references are provided so that you can, at that point, complete those activities. The Packet Tracer activities are accessible only if you have access to the online curriculum. However, the Labs are available in the Lab Manuals previously cited.

Video Demonstration

instructor.indb xvii

3/12/14 7:51 AM

xviii


Part I: Scaling Networks ■

Chapter 1, “Introduction to Scaling Networks”: This chapter provides vocabulary and concept exercises to reinforce your understanding of hierarchical network design and selecting hardware. You will also practice basic router and switch configuration and verification.

■

Chapter 2, “LAN Redundancy”: The exercises in this chapter cover the concepts, operations, configuration, and verification of all the current varieties of STP.

■

Chapter 3, “Link Aggregation”: This chapter’s exercises are devoted to the concepts, configuration, verification, and troubleshooting of EtherChannel.

■

Chapter 4, “Wireless LANs”: This chapter is all about wireless connectivity technologies. You will complete exercises that focus on various types of wireless and the standards for 802.11. In addition, you will complete activities focused on WLAN components, topologies, and security.

■

Chapter 5, “Adjust and Troubleshoot Single-Area OSPF”: This chapter focuses on advanced OSPF concepts, configuration, verification, and troubleshooting.

■

Chapter 6, “Multiarea OSPF”: The CCNA exam now includes multiarea OSPF. So, this chapter includes exercises covering multiarea OSPF concepts and configuration, verification, and troubleshooting.

■

Chapter 7, “EIGRP”: The exercises in this chapter are devoted to the basic concepts and configuration of Cisco’s routing protocol, EIGRP for IPv4 and IPv6.

■

Chapter 8, “EIGRP Advanced Configurations and Troubleshooting”: This chapter focuses on advanced EIGRP concepts, configuration, verification, and troubleshooting.

■

Chapter 9, “IOS Images and Licensing”: This chapter is devoted to the crucial knowledge and skills you need to manage IOS images. Exercises focus on basic IOS image concepts and management tasks.

Part II: Connecting Networks

instructor.indb xviii

■

Chapter 10, “Hierarchical Network Design”: Part II, much like Part I, starts off network design. Exercises focus on the various types of network design models and architectures.

■

Chapter 11, “Connecting to the WAN”: This chapter is a survey of all the various WAN access options and technologies that are available for connecting today’s networks. The exercises focus on differentiating between all these WAN options.

■

Chapter 12, “Point-to-Point Connections”: One of the older, and still viable, WAN options is PPP. Exercises in this chapter focus on the serial interface and then the concepts, configuration, verification, and troubleshooting of PPP with PAP and CHAP authentication.

■

Chapter 13, “Frame Relay”: Although some may consider Frame Relay obsolete, it is still a viable option in depending on your location. This chapter includes exercises covering the concepts, configuration, verification, and troubleshooting of Frame Relay.

3/12/14 7:51 AM

xix

■

Chapter 14, “Network Address Translation for IPv4”: NAT was created to provide a temporary solution to the limited address space in IPv4. Just about every router connected to the network uses NAT or forwards traffic to a NAT-enabled device for address translation. This chapter focuses on exercises to reinforce your understanding of NAT operation and characteristics. Practice activities include configuring, verifying, and troubleshooting static NAT, dynamic NAT, and PAT.

■

Chapter 15, “Broadband Solutions”: Working from home or away from a central office has largely been made possible by the advent of broadband technologies and VPNs. This exercises in this chapter help you distinguish between the various broadband offerings on the market.

■

Chapter 16, “Securing Site-to-Site Connectivity”: VPNs allow teleworkers and branch sites connect to the corporate network regardless of the underlying WAN access option. The exercises in this chapter are devoted to the concepts of the various VPN solutions, including IPsec and GRE configuration.

■

Chapter 17, “Monitoring the Network”: As a network administrator, you are more likely to be managing a network using a variety of tools rather than designing and building them. The exercises in this chapter cover three popular network monitoring tools: syslog, SNMP, and NetFlow.

■

Chapter 18, “Troubleshooting the Network”: Throughout your CCNA studies, you have practice troubleshooting skills in relation to specific technologies. This chapter reviews troubleshooting methodologies and the tools and commands you use to troubleshoot a network. Troubleshooting is a key skill to fine-tune now that you are close to taking your CCNA exam.

About the Cisco Press Website for This Book Cisco Press provides additional content that can be accessed by registering your individual book at the ciscopress.com website. Becoming a member and registering is free, and you then gain access to exclusive deals on other resources from Cisco Press. To register this book, go to http://www.ciscopress.com/bookstore/register.asp and enter the book’s ISBN located on the back cover of this book. You’ll then be prompted to log in or join ciscopress.com to continue registration. After you register the book, a link to the supplemental content will be listed on your My Registered Books page.

instructor.indb xix

3/12/14 7:51 AM

instructor.indb xx

3/12/14 7:51 AM

CHAPTER 1

Introduction to Scaling Networks

As a business grows, so does its networking requirements. To keep pace with a business’s expansion and new emerging technologies, a network must be designed to scale. A network that scales well is not only one that can handle growing traffic demands, but also one designed with the inevitable need to expand. This short chapter sets the stage for the rest of the course. This chapter covers the hierarchical network design model, the Cisco Enterprise Architecture modules, and appropriate device selections that you can use to systematically design a highly functional network.

instructor.indb 1

3/12/14 7:51 AM

2


Implementing a Network Design An enterprise network must be designed to support the exchange of various types of network traffic, including data files, email, IP telephony, and video applications for multiple business units.

Hierarchical Network Design Users expect enterprise networks to be up 99.999 percent of the time. To provide this kind of reliability, enterprise class equipment uses redundant power supplies and has failover capabilities. Describe what failover capability means for enterprise class equipment. Failover capability refers to the ability of a device to switch from a nonfunctioning module, service, or device to a functioning one with little or no break in service. Why should a network be organized so that traffic stays local and is not propagated unnecessarily on to other portions of the network? Keeping traffic local optimizes bandwidth. Designing a network using the three-layer hierarchical design model helps optimize the network. In Figure 1-1, label the three layers of the hierarchical design model. Figure 1-1

Hierarchical Design Model Hierarchical Design Model

Internet

instructor.indb 2

Internet

3/12/14 7:51 AM

Chapter 1: Introduction to Scaling Networks

Figure 1-1a

3

Hierarchical Design Model (answer) Hierarchical Design Model

Internet

Internet

Core Layer

Distribution Layer

Access Layer

Briefly describe each layer of the hierarchical design model. The access layer provides connectivity for the users. The distribution layer is used to forward traffic from one local network to another. Finally, the core layer represents a high-speed backbone layer between dispersed networks. The Cisco Enterprise Architecture divides the network into functional components while still maintaining the core, distribution, and access layers. The primary Cisco Enterprise Architecture modules include Enterprise Campus, Enterprise Edge, Service Provider Edge, and Remote. A well-designed network not only controls traffic but also limits the size of failure domains. Briefly describe a failure domain. A failure domain is the area of a network that is impacted when a critical device or network service experiences problems.

instructor.indb 3

3/12/14 7:51 AM

4


Use the list of modules to label the parts of the Cisco Enterprise Architecture in Figure 1-2. Modules 1 Campus Core 2 Remote Access & VPN 3 Building Distribution 4 Internet Connectivity 5 Building Access 6 Server Farm & Data Center 7 WAN Site-to-Site VPN 8 E-Commerce Figure 1-2

Cisco Enterprise Architecture

Enterprise Campus

Enterprise Edge

Service Provider Edge

Remote

Campus Infrastructure Module

Enterprise Branch ISP A

ISP B

Enterprise Teleworker

PSTN Enterprise Data Center

Network Management

instructor.indb 4

Frame Relay, ATM, MAN, ...

3/12/14 7:51 AM


Figure 1-2a

5

Cisco Enterprise Architecture (answer)

Enterprise Campus 5

Enterprise Edge


Enterprise Branch


8

3

1

Remote

ISP A

4 ISP B


2 PSTN Enterprise Data Center

6 7 Network Management

instructor.indb 5


3/12/14 7:51 AM

6


Identify Scalability Terminology Match the definition on the left with the term on the right. This is a one-to-one matching exercise. Definition g. Isolates routing updates and minimizes the size of routing tables c. Cisco proprietary distance vector routing protocol f. Allows for redundant paths by eliminating switching loops h. Technique for aggregating multiple links between equipment to increase bandwidth e. Minimizes the possibility of a single point of failure

Terms a. Modular equipment b. OSPF c. EIGRP d. Wireless LANs e. Redundancy f. Spanning Tree Protocol g. Scalable Routing Protocol h. EtherChannel

a. Supports new features and devices without requiring major equipment upgrades b. Link-state routing protocol with a two-layer hierarchical design d. Increases flexibility, reduces costs, and provides mobility to users

instructor.indb 6

3/12/14 7:51 AM


7

Selecting Network Devices When designing a network, it is important to select the proper hardware to meet current network requirements and to allow for network growth. Within an enterprise network, both switches and routers play a critical role in network communication.

Selecting Switch Hardware Match the business consideration on the left with the switch feature on the right. This is a one-to-one matching exercise. Business Consideration a. Should provide continuous access to the network d. Daisy-chain switches with high-bandwidth throughput j. Refers to a switch’s ability to support the appropriate number of devices on the network h. Ability to adjust to growth of network users i. How fast the interfaces will process network data e. Important consideration in a network where there may be congested ports to servers or other areas of the network

Switch Feature a. Reliability b. Modular c. Power d. Stackable e. Frame buffers f. Cost g. Fixed configuration h. Scalability i. Port speed j. Port density

c. Provides electrical current to other device and support redundant power supplies g. Switches with preset features or options f. Depends on the number and speed of the interfaces, supported features, and expansion capability b. Switches with insertable switching line/port cards

instructor.indb 7

3/12/14 7:51 AM

8


Packet Tracer Activity

Packet Tracer - Comparing 2960 and 3560 Switches (SN 1.2.1.7/SwN 1.1.2.5)

Selecting Router Hardware In Table 1-1, select the router category that applies to each description. Table 1-1

Identify Router Category Features

Router Description

Branch Routers

Fast performance with high security for data centers, campus, and branch networks

Network Edge Routers

Service Provider Routers

X

Simple network configuration and management for LANs and WANs

X

Optimizes services on a single platform

X

End-to-end delivery of subscriber services

X

Deliver next-generation Internet experiences across all devices and locations

X

High capacity and scalability with hierarchical quality of service Maximizes local services and ensures 24/7/365 uptime

X X

Unites campus, data center, and branch networks

X

Managing Devices A basic router or switch configuration includes the hostname for identification, passwords for security, and assignment of IP addresses to interfaces for connectivity. A router configuration also includes basic routing. In addition to configuration commands, router and switch verification commands are used to verify the operational status of the router or switch and related network functionality. Use the address scheme in Table 1-2 in the following exercises that review the most common router and switch configuration and verification commands. Table 1-2 Device

Interface

IPv4 Address

Subnet Mask

Default Gateway

R1

G0/0

172.16.1.1

255.255.255.0

N/A

S1

instructor.indb 8

Router and Switch Addressing Table

S0/0/0

172.16.3.1

255.255.255.252

N/A

S0/0/1

192.168.10.5

255.255.255.252

N/A

VLAN 1

192.168.1.5

255.255.255.0

192.168.1.1

3/12/14 7:51 AM


9

Basic Router Configuration Review Using Table 1-2 and the following requirements, record the commands, including the router prompt, to implement a basic router configuration: ■

Hostname is R1.

■

Console and Telnet line’s password is cisco.

■

Privileged EXEC password is class.

■

Banner message-of-the-day.

■

Interface addressing.

■

OSPF routing, including an appropriate router ID.

■

Save the configuration.

Router(config)# hostname R1 R1(config)# enable secret class R1(config)# line con 0 R1(config-line)# password cisco R1(config-line)# login R1(config-line)# line vty 0 15 R1(config-line)# password cisco R1(config-line)# login R1(config-line)# service password-encryption R1(config)# banner motd $ Authorized Access Only! $ R1(config)# interface GigabitEthernet0/0 R1(config-if)# ip address 172.16.1.1 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# interface Serial0/0/0 R1(config-if)# ip address 172.16.3.1 255.255.255.252 R1(config-if)# no shutdown R1(config-if)# interface Serial0/0/1 R1(config-if)# ip address 192.168.10.5 255.255.255.252 R1(config-if)# no shutdown R1(config-if)# router ospf 10 R1(config-router)# router-id 1.1.1.1 R1(config-router)# network 172.16.1.0 0.0.0.255 area 0 R1(config-router)# network 172.16.3.0 0.0.0.3 area 0 R1(config-router)# network 192.168.10.4 0.0.0.3 area 0 R1(config-router)# do copy run start

instructor.indb 9

3/12/14 7:51 AM

10


Basic Router Verification Review In Table 1-3, record the verification command that will generate the described output. Table 1-3

Router Verification Commands

Command

Command Output

show ip route

Displays the routing table for known networks, including administrative distance, metric, and outbound interface

show ip protocols

Displays information about routing protocols, including process ID, router ID, and neighbors

show cdp neighbors

Displays information about directly connected Cisco devices

show ip interface brief

Displays all interfaces in an abbreviated format, including IP address and status

show ip ospf neighbor

Displays information about neighbors, including router ID, state, IP address, and local interface that learned of neighbor

show interfaces

Displays one or all interfaces, including status, bandwidth, and duplex type

Basic Switch Configuration Review Using Table 1-2 and the following requirements, record the commands, including the switch prompt, to implement a basic switch configuration: ■

Hostname is S1.

■

Console and Telnet line’s password is cisco.

■

Privileged EXEC password is class.

■

Banner message-of-the-day.

■

VLAN 1 interface addressing.

■

Save the configuration.

Switch(config)# hostname S1 S1(config)# enable secret class S1(config)# line con 0 S1(config-line)# password cisco S1(config-line)# login S1(config-line)# line vty 0 15 S1(config-line)# password cisco S1(config-line)# login S1(config-line)# service password-encryption S1(config)# banner motd $ Authorized Access Only! $ S1(config)# interface vlan 1 S1(config-if)# ip address 192.168.1.5 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# ip default-gateway 192.168.1.1 S1(config-if)# do copy run start

instructor.indb 10

3/12/14 7:51 AM


11

Basic Switch Verification Review In Table 1-4, record the verification command that will generate the described output. Table 1-4

Packet Tracer Challenge

instructor.indb 11

Router Verification Commands

Command

Command Output

show cdp neighbors

Displays information about directly connected Cisco devices

show port-security address

Displays all secure MAC addresses

show mac-address-table

Displays a table of learned MAC addresses, including the port number and VLAN assigned to the port

show interfaces

Displays one or all interfaces, including status, bandwidth, and duplex type

show port-security

Displays information about maximum MAC addresses allowed, current counts, security violation count, and action to be taken

Packet Tracer - Skills Integration Challenge (SN 1.3.1.2)

3/12/14 7:51 AM

instructor.indb 12

3/12/14 7:51 AM

CHAPTER 2

LAN Redundancy

Computer networks are inextricably linked to productivity in today’s small and medium-sized businesses. Consequently, IT administrators have to implement redundancy in their hierarchical networks. When a switch connection is lost, another link needs to quickly take its place without introducing any traffic loops. This chapter investigates how Spanning Tree Protocol (STP) logically blocks physical loops in the network and how STP has evolved into a robust protocol that rapidly calculates which ports should be blocked in a VLAN-based network. In addition, the chapter briefly explores how Layer 3 redundancy is implemented through First Hop Redundancy Protocols (FHRPs).

instructor.indb 13

3/12/14 7:51 AM

14


Spanning-Tree Concepts Redundancy increases the availability of a network topology by protecting the network from a single point of failure, such as a failed network cable or switch. STP was developed to address the issue of loops in a redundant Layer 2 design.

Draw a Redundant Topology In Figure 2-1, draw redundant links between the access, distribution, and core switches. Each access switch should have two links to the distribution layer with each link connecting to a different distribution layer switch. Each distribution layer switch should have two links to the core layer with each link connecting to a different core layer switch. Figure 2-1

Redundant Topology C1

D1

C2

D2

D3

Distribution

D4

S1

S2

S3

S4

S5

S6

PC1

PC2

PC3

PC4

PC5

PC6

Figure 2-1a

Access

Redundant Topology (answer) C1

D1

instructor.indb 14

Core

C2

D2

D3

Core

Distribution

D4

S1

S2

S3

S4

S5

S6

PC1

PC2

PC3

PC4

PC5

PC6

Access

3/12/14 7:51 AM

Chapter 2: LAN Redundancy

15

Purpose of Spanning Tree STP prevents specific types of issues in a redundant topology like the one in Figure 2-1. Specifically, three potential issues would occur if STP was not implemented. Describe each of the following issues: ■

MAC database instability: Instability in the content of the MAC address table results from copies of the same frame being received on different ports of the switch. Data forwarding can be impaired when the switch consumes the resources that are coping with instability in the MAC address table.

■

Broadcast storms: Without some loop-avoidance process, each switch may flood broadcasts endlessly. This situation is commonly called a broadcast storm.

■

Multiple frame transmission: Multiple copies of unicast frames may be delivered to destination stations. Many protocols expect to receive only a single copy of each transmission. Multiple copies of the same frame can cause unrecoverable errors.

You should be prepared to use a topology like Figure 2-1 to explain exactly how these three issues would occur if STP was not implemented. Packet Tracer Activity

Packet Tracer - Examining a Redundant Design (SN 2.1.1.5/SwN 4.1.1.5)

Spanning-Tree Operation Because Rapid Spanning Tree Protocol (RSTP), which is documented in IEEE 802.1D-2004, supersedes the original STP documented in IEEE 802.1D-1998, all references to STP assume RSTP unless otherwise indicated. STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop. A switch port is considered blocked when network traffic is prevented from entering or leaving that port. STP uses the spanning-tree algorithm (STA) to determine which switch ports on a network need to be blocking to prevent loops from occurring. The STA designates a single switch as the root bridge and uses it as the reference point for all subsequent calculations. Switches participating in STP determine which switch has the lowest bridge ID (BID) on the network. This switch automatically becomes the root bridge. A bridge protocol data unit (BPDU) is a frame containing STP information exchanged by switches running STP. Each BPDU contains a BID that identifies the switch that sent the BPDU. The lowest BID value determines which switch is root. After the root bridge has been determined, the STA calculates the shortest path to the root bridge. If there is more than one path to choose from, STA chooses the path with the lowest path cost.

instructor.indb 15

3/12/14 7:51 AM

16


When the STA has determined the “best” paths emanating from the root bridge, it configures the switch ports into distinct port roles. The port roles describe their relation in the network to the root bridge and whether they are allowed to forward traffic: ■

Root ports: Switch ports closest to the root bridge

■

Designated ports: Nonroot ports that are still permitted to forward traffic on the network

■

Alternate and backup ports: Ports in a blocking state to prevent loops

■

Disabled port: Ports that are administratively shut down

After a switch boots, it sends BPDU frames containing the switch BID and the root ID every 2 seconds. Initially, each switch identifies itself as the root bridge after boot. How would a switch determine that another switch is now the root bridge? If the root ID in the BPDU received from another switch is lower than the root ID on the receiving switch, the receiving switch updates its cached root ID information to that of the sending switch. How does the STA determine path cost? The path information is determined by summing up the individual egress port costs along the path from the respective switch to the root bridge. Record the default port costs for various link speeds in Table 2-1. Table 2-1

Port Costs

Link Speed

Cost (Revised IEEE Specification)

Cost (Previous IEEE Specification)

10 Gbps

2

1

1 Gbps

4

1

100 Mbps

19

10

10 Mbps

100

100

Although switch ports have a default port cost associated with them, the port cost is configurable. To configure the port cost of an interface, enter the spanning-tree cost value command in interface configuration mode. The range value can be between 1 and 200,000,000. Record the commands, including the switch prompt, to configure the port cost for F0/1 as 15: S2(config)# interface f0/1 S2(config-if)# spanning-tree cost 15

To verify the port and path cost to the root bridge, enter the show spanning-tree privileged EXEC mode command, as shown here: S2# show spanning-tree

VLAN0001 Spanning tree enabled protocol ieee

instructor.indb 16

3/12/14 7:51 AM


Root ID

Priority

32769

Address

c025.5cd7.ef00

Cost

15

Port

1 (FastEthernet0/1)

Hello Time

Bridge ID

2 sec

Max Age 20 sec

Priority

32769

Address

c07b.bcc4.a980

Hello Time Aging Time

Interface

Forward Delay 15 sec

(priority 32768 sys-id-ext 1)

2 sec 15

17

Max Age 20 sec


sec

Role Sts Cost

Prio.Nbr Type

------------------- ---- --- --------- -------- -------------------------------Fa0/1

Root FWD 15

128.1

P2p

Fa0/2

Altn BLK 19

128.2

P2p

Fa0/3

Desg LIS 19

128.3

P2p

Fa0/4

Desg LIS 19

128.4

P2p

Fa0/6

Desg FWD 19

128.6

P2p

The BID field of a BPDU frame contains three separate fields: bridge priority, extended system ID, and MAC address. Of these three fields, the bridge priority is a customizable value that you can use to influence which switch becomes the root bridge. The default value for this field is 32768. Cisco enhanced its implementation of STP to include support for the extended system ID field, which contains the ID of the VLAN with which the BPDU is associated. Because using the extended system ID changes the number of bits available for the bridge priority, the customizable values can only be multiples of 4096. When two switches are configured with the same priority and have the same extended system ID, the switch with the lowest MAC address has the lower BID.

Identify the 802.1D Port Roles The topologies in the next three figures do not necessarily represent an appropriate network design. However, they provide good exercise topologies for you to practice determining the STP port roles. In Figures 2-2 through 2-4, use the priority values and MAC addresses to determine the root bridge. Then label the ports with one of the following:

instructor.indb 17

■

RP: Root Port

■

DP: Designated Port

■

AP: Alternate Port

3/12/14 7:51 AM

18


Figure 2-2

802.1D Port Roles - Scenario 1 G1/1

G1/1 S2

S1 F0/1

F0/1

G1/2

F0/1

G1/2

F0/1 S4

S3 Device S1 S2 S3 S4

Figure 2-2a

Priority 32769 24577 32769 32769

MAC Address 000a:0001:1111 000a:0002:2222 000a:0003:3333 000a:0004:4444

802.1D Port Roles - Scenario 1 (answer) G1/1

G1/1 RP

S1 F0/1

DP DP

DP

S2 DP

RP G1/2

RP F0/1 S4


Figure 2-3

F0/1

G1/2

AP F0/1

Root

Priority 32769 24577 32769 32769

MAC Address 000a:0001:1111 000a:0002:2222 000a:0003:3333 000a:0004:4444


G1/1 S2

S1 F0/1

F0/1

G1/2

F0/1

G1/2

F0/1 S4


instructor.indb 18

Priority 24577 32769 32769 32769

MAC Address 000a:0001:1111 000a:0002:2222 000a:0003:3333 000a:0004:4444

3/12/14 7:51 AM


Figure 2-3a

802.1D Port Roles - Scenario 2 (answer) Root

G1/1

G1/1 DP

S1 F0/1

RP DP

DP

S2

F0/1

F0/1

G1/2

DP

RP

RP G1/2

AP F0/1 S4


Figure 2-4

Priority 24577 32769 32769 32769

MAC Address 000a:0001:1111 000a:0002:2222 000a:0003:3333 000a:0004:4444


G1/1 S2

S1 F0/1

F0/1

G1/2

F0/1

G1/2

F0/1 S4


Figure 2-4a

Priority 32769 32769 24577 32769

MAC Address 000a:0001:1111 000a:0002:2222 000a:0003:3333 000a:0004:4444

802.1D Port Roles - Scenario 3 (answer) G1/1

G1/1 DP

S1 F0/1

AP RP

RP

DP F0/1

S2 F0/1

G1/2

DP

RP G1/2

DP F0/1 S4

S3 Root Device S1 S2 S3 S4

instructor.indb 19

19

Priority 32769 32769 24577 32769

MAC Address 000a:0001:1111 000a:0002:2222 000a:0003:3333 000a:0004:4444

3/12/14 7:51 AM

20


Lab – Building a Switched Network with Redundant Links (SN 2.1.2.10/SwN 4.1.2.10)

Varieties of Spanning Tree Protocols STP has been improved multiple times since its introduction in the original IEEE 802.1D specification. A network administrator should know which type to implement based on the equipment and topology needs.

Comparing the STP Varieties Identify each of the STP varieties described in the following list: ■

Multiple Spanning Tree Protocol (MSTP): This is an IEEE that maps multiple VLANs into the same spanning tree instance.

■

Rapid Spanning Tree Protocol (RSTP) or IEEE 802.1w: This is an evolution of STP that provides faster convergence than STP.

■

802.1D-2004: This is an updated version of the STP standard, incorporating IEEE 802.1w.

■

PVST+: This is a Cisco enhancement of STP that provides a separate 802.1D spanning tree instance for each VLAN configured in the network.

■

Rapid PVST+: This is a Cisco enhancement that provides a separate instance of 802.1w per VLAN.

■

STP: This is the original IEEE 802.1D version (802.1D-1998 and earlier) that provides a loop-free topology in a network with redundant links.

Complete the cells in Table 2-2 to identify each the characteristics of each STP variety. Table 2-2

STP Characteristics - Exercise 1

Protocol

Standard

Resources Needed

Convergence

Tree Calculation

STP

802.1D

Low

Slow

All VLANs

PVST+

Cisco

High

Slow

Per VLAN

RSTP

802.1w

Medium

Fast

All VLANs

Rapid PVST+

Cisco

Very high

Fast

Per VLAN

MSTP

802.1s, Cisco

Medium or high

Fast

Per instance

In Table 2-3, indicate which varieties of STP are best described by the characteristic. Some characteristics apply to more than one STP variety.

instructor.indb 20

3/12/14 7:51 AM


Table 2-3

21

STP Characteristics - Exercise 2

Characteristic

STP

PVST+

RSTP

Rapid PVST+

MSTP

A Cisco implementation of 802.1s that provides up to 16 instances of RSTP.

X

Cisco enhancement of RSTP.

X

The default STP mode for Cisco Catalyst switches.

X

Has the highest CPU and memory requirements. Can lead to suboptimal traffic flows.

X X

X

Cisco proprietary versions of STP.

X

Cisco enhancement of STP. Provides a separate 802.1D spanning-tree instance for each VLAN.

X

There is only 1 root bridge and 1 tree.

X

Uses 1 IEEE 802.1D spanning-tree instance for the entire bridged network, regardless of the number of VLANs.

X

Supports PortFast, BPDU guard, BPDU filter, root guard, and loop guard. An evolution of STP that provides faster STP convergence.

X

X

X

X

X X

Maps multiple VLANs that have the same traffic flow requirements into the same spanning-tree instance. First version of STP to address convergence issues, but still provided only one STP instance.

MST

X

X

PVST+ Operation After a switch boots, the spanning tree is immediately determined as ports transition through five possible states and three BPDU timers on the way to convergence. Briefly describe each state:

instructor.indb 21

■

Blocking: The port is an alternate port and does not participate in frame forwarding. The port continues to process received BPDU frames to determine the location and root ID of the root bridge and what port role the switch port should assume in the final active STP topology.

■

Listening: STP has determined that the port can be selected as a root port or designated port based upon the information in the BPDU frames it has received so far. At this point, the switch port is not only receiving BPDU frames, it is also transmitting its own BPDU frames and informing adjacent switches that the switch port is preparing to participate in the active topology. The port returns to blocking state if it is determined that the port does not provide the lowest cost path to the root bridge.

3/12/14 7:51 AM

22


■

Learning: The port prepares to participate in frame forwarding and begins to populate the MAC address table.

■

Forwarding: The port is considered part of the active topology and forwards frames and also sends and receives BPDU frames.

■

Disabled: The Layer 2 port does not participate in spanning tree and does not forward or process frames. The switch port is administratively disabled.

Once stable, every active port in the switched network is either in the forwarding state or the blocking state. List and briefly describe the four steps PVST+ performs for each VLAN to provide a loop-free logical topology. Step 1.

Elects one root bridge: The root bridge is the switch with the lowest bridge ID.

Step 2.

Selects the root port on each nonroot bridge: STP establishes one root port on each nonroot bridge. The root port is the lowest-cost path from the nonroot bridge to the root bridge.

Step 3.

Selects the designated port on each segment: The designated port is selected on the switch that has the lowest-cost path to the root bridge.

Step 4.

The remaining ports in the switched network are alternate ports: Alternate ports normally remain in the blocking state, to logically break the loop topology.

In Table 2-4, answer the “Operation Allowed” question with “yes” or “no” for each port state. Table 2-4

Operations Allowed at Each Port State

Operation Allowed

Port State Blocking

Listening

Learning

Forwarding

Disabled

Can receive and process BPDUs

Yes

Yes

Yes

Yes

No

Can forward data frames received on interface

No

No

No

Yes

No

Can forward data frames No switched from another interface

No

No

Yes

No

Can learn MAC addresses

No

Yes

Yes

No

No

Rapid PVST+ Operation RSTP (IEEE 802.1w) is an evolution of the original 802.1D standard and is incorporated into the IEEE 802.1D-2004 standard. Rapid PVST+ is the Cisco implementation of RSTP on a perVLAN basis. What is the primary difference between Rapid PVST+ and RSTP? With Rapid PVST+, an independent instance of RSTP runs for each VLAN. Briefly describe the RSTP concept that corresponds to the PVST+ PortFast feature. RSTP identifies those ports that can be considered edge ports that are directly connected to an end device. Because edge ports are not connected to another switch, they can immediately transition to the forwarding state.

instructor.indb 22

3/12/14 7:51 AM


23

What command implements Cisco’s version of an edge port? spanning-tree portfast In Table 2-5, indicate whether the characteristic describes PVST+, Rapid PVST+, or both. Table 2-5

Comparing PVST+ and Rapid PVST+

Characteristic

PVST+

Rapid PVST+

Cisco proprietary protocol.

Both

X

Port roles: root, designated, alternate, edge, backup.

X

CPU processing and trunk bandwidth usage is greater than with STP.

X

Ports can transition to forwarding state without relying on a timer.

X

The root bridge is determined by the lowest BID + VLAN ID + MAC. Runs a separate IEEE 802.1D STP instance for each VLAN.

X X

Possible to have load sharing with some VLANS forwarding on each trunk.

X

Sends a BPDU “hello message” every 2 seconds.

X

Spanning-Tree Configuration It is crucial to understand the impact of a default switch configuration on STP convergence and what configurations can be applied to adjust the default behavior.

PVST+ and Rapid PVST+ Configuration Complete Table 2-6 to show the default spanning-tree configuration for a Cisco Catalyst 2960 series switch. Table 2-6

Default Switch Configuration

Feature

Default Setting

Enable state

Enabled on VLAN 1

Spanning-tree mode

PVST+

Switch priority

32768

Spanning-tree port priority (configurable on a per-interface basis)

128

Spanning-tree port cost (configurable on a per-interface basis)

1000 Mbps: 4 100 Mbps: 19 10 Mbps: 100

Spanning-tree VLAN port priority (configurable on a per-VLAN basis)

instructor.indb 23

128

3/12/14 7:51 AM

24


Feature

Default Setting

Spanning-tree VLAN port cost (configurable on a per-VLAN basis)

1000 Mbps: 4 100 Mbps: 19 10 Mbps: 100

Spanning-tree timers

Hello time: 2 seconds Forward-delay time: 15 seconds Maximum-aging time: 20 seconds Transmit hold count: 6 BPDUs

Document the two different configuration commands that you can use to configure the bridge priority value so that the switch is root for VLAN 1. Use the value 4096 when necessary: S1(config)# spanning-tree vlan 1 root primary !or S1(config)# spanning-tree vlan 1 priority 4096

Record the command to verify that the local switch is now root: S1# show spanning-tree

VLAN0001 Spanning tree enabled protocol ieee Root ID

Priority

24577

Address

000A.0033.3333

This bridge is the root Hello Time

Bridge ID

2 sec

Max Age 20 sec

Priority

24577

Address

0019.aa9e.b000

Hello Time

2 sec


(priority 24576 sys-id-ext 1)

Max Age 20 sec


Aging Time 300

Interface

Role Sts Cost

Prio.Nbr Type

---------------- ---- --- --------- -------- -------------------------------Fa0/1

Desg FWD 4

128.1

Shr

Fa0/2

Desg FWD 4

128.2

Shr

Explain the purpose of the BPDU guard feature on Cisco switches. The BPDU guard feature protects the spanning tree from recalculations that might occur if a BPDU is received on an edge port because it connected to a switch.

instructor.indb 24

3/12/14 7:51 AM


25

What command interface configuration command enables BPDU guard? spanning-tree bpduguard enable What global configuration command will configure all nontrunking ports as edge ports? spanning-tree portfast default What global configuration command will configure BPDU guard on all PortFast-enabled ports? spanning-tree portfast bpduguard default The power of PVST+ is that it can load balance across redundant links. By default, the leastfavored redundant link is not used. So, you must manually configure PVST+ to use the link. Figure 2-5 represents a small section of Figure 2-1, showing only two distribution layer switches and one access layer switch. For this example, we have attached PC2 to S1. PC1 is assigned to VLAN 15, and PC2 is assigned to VLAN 25. D1 should be the primary root for VLAN 1 and VLAN 15 and the secondary root for VLAN 25. D2 should be the primary root for VLAN 25 and the secondary root for VLAN 15. Figure 2-5

PVST+ Configuration Topology Root for VLAN 15

Root for VLAN 25

D1

D2

S1

PC1

PC2

VLAN 15

VLAN 25

Based on these requirements, document the commands to modify the default PVST+ operation on D1 and D2. D1 commands D1(config)# spanning-tree vlan 1 root primary D1(config)# spanning-tree vlan 15 root primary D1(config)# spanning-tree vlan 25 root secondary

D2 commands D2(config)# spanning-tree vlan 15 root secondary D2(config)# spanning-tree vlan 25 root primary

instructor.indb 25

3/12/14 7:51 AM

26


Document the commands to configure all nontrunking ports on S1 as edge ports with BPDU guard enabled. S1(config)# spanning-tree portfast default S1(config)# spanning-tree portfast bpduguard default

Now, assume that you want to run rapid PVST+ on all three switches. What command is required? spanning-tree mode rapid-pvst Lab - Configuring Rapid PVST+, PortFast, and BPDU Guard (SN 2.3.2.3/SwN 4.3.2.3) Packet Tracer Activity Packet Tracer Activity

Packet Tracer - Configuring PVST+ (SN 2.3.1.5/SwN 4.3.1.5) Packet Tracer - Configuring Rapid PVST+ (SN 2.3.2.2/SwN 4.3.2.2)

First Hop Redundancy Protocols Up to this point, we’ve been reviewing STP and how to manipulate the election of root bridges and load balance across redundant links. In addition to Layer 1 and Layer 2 redundancy, a high-availability network might also implement Layer 3 redundancy by sharing the default gateway responsibility across multiple devices. Through the use of a virtual IP address, two Layer 3 devices can share the default gateway responsibility. The section reviews First Hop Redundancy Protocols (FHRPs) that provide Layer 3 redundancy.

instructor.indb 26

3/12/14 7:51 AM


27

Identify FHRP Terminology Match the definition on the left with the terms on the right. This is a one-to-one matching exercise. Definitions

Terms

b. The ability to dynamically recover from the failure of a device acting as the default gateway

b. First-hop redundancy

h. Two or more routers sharing a single MAC and IP address

d. Redundancy rrotocol

c. A device that is part of a virtual router group assigned to the role of default gateway

f. Virtual IP address

d. Provides the mechanism for determining which router should take the active role in forwarding traffic

a. Default gateway c. Forwarding router e. Standby router g. Virtual MAC address h. Virtual router

a. A device that routes traffic destined to network segments beyond the source network segment e. A device that is part of a virtual router group assigned the role of alternate default gateway f. A Layer 3 address assigned to a protocol that shares the single address among multiple devices g. The Layer 2 address returned by ARP for an FHRP gateway

instructor.indb 27

3/12/14 7:51 AM

28


Identify the Type of FHRP In Table 2-7, indicate whether the characteristic describes HSRP, VRRP, or GLBP. Table 2-7

FHRP Characteristics

FHRP Characteristic

HSRP

Used in a group of routers for selecting an active device and a standby device.

GLBP

X

A nonproprietary election protocol that allows several routers on a multi-access link to use the same virtual IPv4 address. Cisco-proprietary FHRP protocol designed to allow for transparent failover of a first-hop IPv4 devices.

VRRP

X X

Cisco-proprietary FHRP protocol that protects data traffic from a failed router or circuit while also allowing load sharing between a group of redundant routers.

X

One router is elected as the virtual router master, with the other routers acting as backups in case the virtual router master fails.

X

HSRP and GLBP Configuration and Verification Refer to the topology in Figure 2-6. R2 has been configured for HSRP group 20, priority 120, IP address 192.168.1.20, and virtual IP address 192.168.1.1. Figure 2-6

HSRP and GLBP Configuration Topology

Core

R2 192.168.1.20

Virtual IP 192.168.1.1

R1 192.168.1.10

Example 2-1 shows the HSRP configuration for R2. Example 2-1

R2 HSRP Configuration

R2# show run interface g0/1 interface GigabitEthernet0/1 ip address 192.168.1.20 255.255.255.0 standby 20 ip 192.168.1.1 standby 20 priority 120

instructor.indb 28

3/12/14 7:51 AM


29

Using the information in Example 2-1, document the commands to configure R1 as the HSRP active router in group 20 using a priority of 210. R1(config)# interface GigabitEthernet0/1 R1(config-if)# ip address 192.168.1.10 255.255.255.0 R1(config-if)# no shutdown R1(config-if)#standby 20 ip 192.168.1.1 R1(config-if)#standby 20 priority 210

What command would generate the following output to verify the HSRP configuration? R1# show standby brief P indicates configured to preempt. | Interface

Grp

Pri P State

Active

Standby

Virtual IP

Gi0/1

20

210

local

192.168.1.20

192.168.1.1

Active

Now assume that all HSRP configurations have been removed. R2 has been configured for GLBP group 20, priority 120, IP address 192.168.1.20, and virtual IP address 192.168.1.1. Example 2-2 shows the GLBP configuration for R2. Example 2-2

R2 GLBP Configuration

R2# show run interface g0/1 interface GigabitEthernet0/1 ip address 192.168.1.20 255.255.255.0 glbp 20 ip 192.168.1.1 glbp 20 priority 120

Using the information in Example 2-2, document the commands to configure R1 to be in GLBP group 20 using a priority of 210. R1(config)# interface GigabitEthernet0/1 R1(config-if)# ip address 192.168.1.10 255.255.255.0 R1(config-if)# no shutdown R1(config-if)# glbp 20 ip 192.168.1.1 R1(config-if)# glbp 20 priority 210

What command would generate the following output to verify the GLBP configuration? R1# show glbp GigabitEthernet0/0 - Group 20 State is Active 1 state change, last state change 00:03:05 Virtual IP address is 192.168.1.1

instructor.indb 29

3/12/14 7:51 AM

30


Hello time 3 sec, hold time 10 sec Next hello sent in 1.792 secs Redirect time 600 sec, forwarder timeout 14400 sec Preemption disabled Active is local Standby is 192.168.1.20, priority 120 (expires in 9.024 sec) Priority 210 (configured) Weighting 100 (default 100), thresholds: lower 1, upper 100 Load balancing: round-robin Group members: 0006.f671.db58 (192.168.1.10) local 0006.f671.eb38 (192.168.1.20) There are 2 forwarders (1 active) Forwarder 1 State is Active 1 state change, last state change 00:02:53 MAC address is 0007.b400.0a01 (default) Owner ID is 0006.f671.db58 Redirection enabled Preemption enabled, min delay 30 sec Active is local, weighting 100 Forwarder 2 State is Listen MAC address is 0007.b400.0a02 (learnt) Owner ID is 0006.f671.eb38 Redirection enabled, 599.040 sec remaining (maximum 600 sec) Time to live: 14399.040 sec (maximum 14400 sec) Preemption enabled, min delay 30 sec Active is 192.168.1.20 (primary), weighting 100 (expires in 9.312 sec)

Lab - Configuring HSRP and GLBP (SN 2.4.3.4/SwN 4.4.3.4)

instructor.indb 30

3/12/14 7:51 AM

CHAPTER 3

Link Aggregation

Link aggregation is the ability to create one logical link using multiple physical links between two devices. This allows load sharing among the physical links, rather than having a STP block one or more of the links.

instructor.indb 31

3/12/14 7:51 AM

32


Link Aggregation Concepts One of the best ways to reduce the time it takes for STP convergence is to simply avoid STP. EtherChannel is a form of link aggregation used in switched networks.

EtherChannel Advantages EtherChannel technology was originally developed by Cisco as a technique of grouping several Fast Ethernet or Gigabit Ethernet switch ports into one logical channel. List at least three advantages to using EtherChannel: ■

Most configuration tasks can be done on the EtherChannel interface instead of on each individual port.

■

EtherChannel relies on existing switch ports. No need to upgrade.

■

Load balancing takes place between links that are part of the same EtherChannel.

■

EtherChannel creates an aggregation that is seen as one logical link. Where there is only one EtherChannel link, all physical links in the EtherChannel are active because STP sees only one (logical) link.

■

EtherChannel provides redundancy because the overall link is seen as one logical connection. Assuming at least one physical link is present; the EtherChannel remains functional, even if its overall throughput decreases because of a lost link within the EtherChannel.

EtherChannel Operation You can configure EtherChannel as static or unconditional. However, there are also two protocols that can be used to configure the negotiation process: Port Aggregation Protocol (PAgP— Cisco proprietary) and Link Aggregation Control Protocol (LACP—IEEE 802.3ad). These two protocols ensure that both sides of the link have compatible configurations—same speed, duplex setting, and VLAN information. The modes for each differ slightly. For PAgP, briefly describe each of the following modes: ■

On: This mode forces the interface to channel without PAgP.

■

Desirable: The interface initiates negotiations with other interfaces by sending PAgP packets.

■

Auto: The interface responds to the PAgP packets that it receives, but does not initiate PAgP negotiation.

For LACP, briefly describe each of the following modes: ■

On: This mode forces the interface to channel without LACP.

■

Active: The interface initiates negotiations with other interfaces by sending LACP packets.

■

Passive: The interface responds to the LACP packets that it receives, but does not initiate LACP negotiation.

In Table 3-1, indicate the mode that is described.

instructor.indb 32

3/12/14 7:51 AM

Chapter 3: Link Aggregation

Table 3-1

33

PAgP and LACP Modes

Mode

PAgP and/or LACP Mode Description

Active

Initiates LACP negotiations with other interfaces.

On

Forces EtherChannel state without PAgP or LACP initiated negotiations.

Auto

Places an interface in a passive, responding state. Does not initiate PAgP negotiations.

Desirable

Actively initiates PAgP negotiations with other interfaces.

Passive

Places an interface in a passive, responding state. Does not initiate LACP negotiations.

The mode that is configured on each side of the EtherChannel link determines whether EtherChannel will be operational. In Table 3-2, two switches are using PAgP. Indicate with “yes” or “no” whether EtherChannel is established. Table 3-2

EtherChannel Negotiation Using PAgP

Switch 1 Mode

Switch 2 Mode

EtherChannel Established?

Auto

Auto

No

Auto

Desirable

Yes

On

Desirable

No

On

Off

No

Desirable

Desirable

Yes

In Table 3-3, two switches are using LACP. Indicate with “yes” or “no” whether EtherChannel is established. Table 3-3

EtherChannel Negotiation Using LACP

Switch 1 Mode

Switch 2 Mode

EtherChannel Established?

Passive

On

No

Passive

Active

Yes

On

On

Yes

Passive

Passive

No

On

Active

No

Link Aggregation Configuration EtherChannel configuration is rather straightforward once you decide on which protocol you will use. In fact, the easiest method is to just force both sides to be on.

instructor.indb 33

3/12/14 7:51 AM

34


Configuring EtherChannel To configure EtherChannel, complete the following steps: Step 1.

Specify the interfaces that, participate in the EtherChannel group using the interface range interface command. What are the requirements for each interface before they can form an EtherChannel? All interfaces must support EtherChannel, be configured with the same speed and duplex settings, support the same VLAN or be configured as a trunk, and share the same range of allowed VLANs on trunks.

Step 2.

Create the port channel interface with the channel-group identifier mode {on | auto | desirable | active | passive} command in interface range configuration mode. The keyword on forces the port to channel without PAgP or LACP. The keywords auto and desirable enable PAgP. The keywords active and passive enable LACP.

Step 3.

The channel-group command automatically creates a port channel interface using the identifier as the number. Use the interface port-channel identifier command to configure channel-wide settings like trunking, native VLANs, or allowed VLANs.

As you can see from the configuration steps, the way you specify whether to use PAgP, LACP, or no negotiations is by configuring one keyword in the channel-group command. So, with those steps in mind, consider Figure 3-1 in each of the following configuration scenarios. Figure 3-1

EtherChannel Topology Fa0/1 S1

Fa0/2

S2

EtherChannel Configuration Scenario 1 Record the commands, including the switch prompt, to configure the S1 Fa0/1 and Fa0/2 into an EtherChannel without negotiations. Then force the channel to trunking using native VLAN 99. S1(config)# interface range fa0/1-2 S1(config-range-if)# channel-group 1 mode on S1(config-range-if)# interface port-channel 1 S1(config-if)# switchport mode trunk S1(config-if)# switchport trunk native vlan 99

EtherChannel Configuration Scenario 1 Record the commands, including the switch prompt, to configure the S1 Fa0/1 and Fa0/2 into an EtherChannel using PAgP. S1 should initiate the negotiations. The channel should trunk, allowing only VLANs 1, 10, and 20. S1(config)# interface range fa0/1-2 S1(config-range-if)# channel-group 1 mode desirable S1(config-range-if)# interface port-channel 1 S1(config-if)# switchport mode trunk S1(config-if)# switchport trunk allowed vlan 1,10,20

instructor.indb 34

3/12/14 7:51 AM


35

EtherChannel Configuration Scenario 1 Record the commands, including the switch prompt, to configure the S1 Fa0/1 and Fa0/2 into an EtherChannel using LACP. S1 should not initiate the negotiations. The channel should trunk, allowing all VLANs. S1(config)# interface range fa0/1-2 S1(config-range-if)# channel-group 1 mode passive S1(config-range-if)# interface port-channel 1 S1(config-if)# switchport mode trunk

Lab - Configuring EtherChannel (SN 3.2.1.4/SwN 5.2.1.4) Packet Tracer Activity

Packet Tracer - Configuring EtherChannel (SN 3.2.1.3/SwN 5.2.1.3)

Verifying and Troubleshooting EtherChannel Record the commands used to display the output in Example 3-1. Example 3-1

EtherChannel Verification Commands

S1# show interface port-channel1 Port-channel1 is up, line protocol is up (connected) Hardware is EtherChannel, address is 0cd9.96e8.8a01 (bia 0cd9.96e8.8a01) MTU 1500 bytes, BW 200000 Kbit/sec, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255

S1# show etherchannel summary Flags:

D - down

P - bundled in port-channel

I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3

S - Layer2

U - in use

f - failed to allocate aggregator

M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port

Number of channel-groups in use: 1 Number of aggregators:

instructor.indb 35

1

3/12/14 7:51 AM

36


Group

Port-channel

Protocol

Ports

------+-------------+-----------+----------------------------------------------1

Po1(SU)

LACP

Fa0/1(P)

Fa0/2(P)

S1# show etherchannel port-channel Channel-group listing: ----------------------

Group: 1 ---------Port-channels in the group: ---------------------------

Port-channel: Po1

(Primary Aggregator)

------------

Age of the Port-channel Logical slot/port

= 0d:00h:25m:17s

= 2/1

Number of ports = 2

HotStandBy port = null Port state

= Port-channel Ag-Inuse

Protocol

=

Port security

= Disabled

LACP

Ports in the Port-channel:

Index

Load

Port

EC state

No of bits

------+------+------+------------------+----------0

00

Fa0/1

Active

0

0

00

Fa0/2

Active

0

Time since last port bundled:

0d:00h:05m:41s

Fa0/2

Time since last port Un-bundled: 0d:00h:05m:48s

Fa0/2

S1# show interfaces f0/1 etherchannel Port state

Channel group = 1

Mode = Active

Gcchange = -

Port-channel

= Po1

GC

Pseudo port-channel = Po1

Port index

= 0

Load = 0x00

Flags:

instructor.indb 36

= Up Mstr Assoc In-Bndl

=

-

Protocol =

LACP

S - Device is sending Slow LACPDUs

F - Device is sending fast LACPDUs.

A - Device is in active mode.

P - Device is in passive mode.

3/12/14 7:51 AM


37

Local information: LACP port

Admin

Oper

Port

Port

Port

Flags

State

Priority

Key

Key

Number

State

Fa0/1

SA

bndl

32768

0x1

0x1

0x102

0x3D

Partner's information:

LACP port Port

Flags

Priority

Dev ID

Fa0/1

SA

32768

0cd9.96d2.4000

Admin

Oper

Port

Port

Age

key

Key

Number

State

4s

0x0

0x1

0x102

0x3D

Age of the port in the current state: 0d:00h:24m:59s S1#

When troubleshooting an EtherChannel issue, keep in mind the configuration restrictions for interfaces that participate in the channel. List at least four restrictions. ■

All ports must be in the same VLANs or configured as trunks.

■

Trunking mode must be the same for each side of the channel.

■

Allowed VLANs on trunks must be the same for both sides.

■

Both sides of the channel must be configured with compatible PAgP or LACP dynamic negotiation options.

■

The link speed and duplex setting must match.

Refer to the output for S1 and S2 in Example 3-2. Record the command that generated the output. Example 3-2

Troubleshooting an EtherChannel Issue

S1# show etherchannel summary Flags:

D - down

P - bundled in port-channel

I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3

S - Layer2

U - in use

f - failed to allocate aggregator

M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators:

1

Group

Ports

Port-channel

Protocol

------+-------------+-----------+----------------------------------------------1

Po1(SD)

-

Fa0/1(D)

Fa0/2(D)

S1# show run | begin interface Port-channel

instructor.indb 37

3/12/14 7:51 AM

38


interface Port-channel1 switchport mode trunk ! interface FastEthernet0/1 switchport mode trunk channel-group 1 mode auto ! interface FastEthernet0/2 switchport mode trunk channel-group 1 mode auto ! S 1# S2# show run | begin interface Port-channel interface Port-channel1 switchport mode trunk ! interface FastEthernet0/1 switchport mode trunk channel-group 1 mode auto ! interface FastEthernet0/2 switchport mode trunk channel-group 1 mode auto ! S2#

Explain why the EtherChannel between S1 and S2 is down. Both sides of the link are set to the PAgP auto mode, which means that the interface will listen for PAgP packets but will not initiate negotiations. Neither side initiates negotiation, so the channel is down. EtherChannel and spanning tree must interoperate. For this reason, the order in which EtherChannel-related commands are entered is important. To correct this issue, you must first remove the port channel. Otherwise, spanning-tree errors cause the associated ports to go into blocking or errdisabled state. With that in mind, what would you suggest to correct the issue shown in Example 3-2 if the requirement is to use PAgP? What commands would be required? Remove the port channel 1 interface, and then configure the interfaces to use desirable mode. This can be done on one or both switches. S1(config)# no interface Port-channel 1 S1(config)# interface range f0/1 - 2 S1(config-if-range)# channel-group 1 mode desirable

instructor.indb 38

3/12/14 7:51 AM


39

S1(config-if-range)# interface Port-channel 1 S1(config-if)# switchport mode trunk S2(config)# no interface Port-channel 1 S2(config)# interface range f0/1 - 2 S2(config-if-range)# channel-group 1 mode desirable S2(config-if-range)# no shutdown S2(config-if-range)# interface Port-channel 1 S2(config-if)# switchport mode trunk

Lab - Troubleshooting EtherChannel (SN 3.2.2.4/SwN 5.2.2.4) Packet Tracer Activity

instructor.indb 39

Packet Tracer - Troubleshooting EtherChannel (SN 3.2.2.3/SwN 5.2.2.3) Packet Tracer - Skills Integration Challenge (SN 3.3.1.2/SwN 5.3.1.2)

3/12/14 7:51 AM

instructor.indb 40

3/12/14 7:51 AM

CHAPTER 4

Wireless LANs

Wireless networks are becoming increasingly ubiquitous. If you have a router at home, chances are it supports a wireless LAN (WLAN). In the work environment, WLANs provide the ability to connect from any location at any time within the campus network. WLANs use radio frequencies that present some unique design and implementation considerations. This chapter reviews WLAN technology, components, security, planning, implementation, and troubleshooting.

instructor.indb 41

3/12/14 7:51 AM

42


Wireless LAN Concepts Wireless access can result in increased productivity and more relaxed employees. With wireless networking, employees have the flexibility to work when they want, where they want. This section reviews basic wireless concepts and components.

Identify Wireless Technologies When referring to communication networks, the term wireless encompasses a wide variety of technologies. Although the focus for the CCNA student is on WLANs, you should also be aware of the basic features of other wireless technologies and applications. In Table 4-1, indicate the wireless technology described by each feature. Table 4-1

Identify the Wireless Technology

Wireless Technology Feature

Bluetooth

Wi-Fi

WiMax

Cellular

Clear line of sight required

X

IEEE 802.16 IEEE 802.15

X X

Uses 2G, 3G, and 4G variations

X

Supports speeds up to 1 Gbps

X

Provides mobile broadband connectivity

X

Supports download speeds up to 10 Mbps

X

Supports speeds up to 5 Mbps

X

Distance transmissions of up to 300 meters

X

Requires directional dish aligned with GEO device Supports speeds up to 24 Mbps

X X

Transmission distances of up to 30 miles (50 km) Distance transmissions of up to 100 meters

Satellite

X X

Supports speeds up to 7 Gbps

X

IEEE 802.11

X

WLANs standards began in 1997 with the first 802.11 specification. Subsequent revisions have increased the speed and changed the frequency. As the standard rapidly evolved, it became important to maintain backward compatibility so that devices would still be able to connect to newer and faster access points. In Table 4-2, all the current flavors of 802.11 are listed in chronological order. For each one, indicate the maximum speed, frequency or frequencies, and with what earlier versions the specification is compatible (if any).

instructor.indb 42

3/12/14 7:51 AM

Chapter 4: Wireless LANs

Table 4-2

43

Comparing the WLAN Standards

IEEE Standard Maximum Speed

Frequency

Backward Compatibility With

802.11

2 Mbps

2.4 GHz

None

802.11a

54 Mbps

5 GHz

None

802.11b

11 Mbps

2.4 GHz

None

802.11g

54 Mbps

2.4 GHz

802.11b

802.11n

600 Mbps

2.4 GHz and 5 GHz

802.11a/b/g

802.11ac

1.3 Gbps

5 GHz

802.11a/n

802.11ad

7 Gbps

2.4 GHz, 5 GHz, and 60 GHz 802.11a/b/g/n/ac

Using your completed Table 4-2, indicate in Table 4-3 the frequencies at which each standard operates. Table 4-3

WLAN Standards and Frequencies

2.4 GHz (UHF)

5 GHz (SFH)

802.11a

802.11a

60 GHz (EHF)

X

802.11a

802.11b

X

802.11b

802.11b

802.11g

X

802.11g

802.11g

802.11n

X

802.11n

X

802.11n

802.11ac

X

802.11ac

802.11ad

X

802.11ad

802.11ac X

802.11ad

X

As a network technician, you should be aware of other wireless applications that could potentially cause problems with your WLAN implementations. In Table 4-4, indicate the frequency for each wireless application. Some applications may use more than one frequency. Table 4-4

Wireless Application Frequencies

Wireless Application

2.4 GHz (UHF)

Cellular broadband

X

5 GHz (SHF)

X

Radar landing systems GPS systems

X X

Radio astronomy Bluetooth

60 GHz (EHF)

X

X

Satellite communications

X

Microwave communications

X

In Table 4-5, indicate whether the feature describes LANs or WLANs.

instructor.indb 43

3/12/14 7:51 AM

44


Table 4-5

Comparing LANs and WLANs

WLAN or LAN Feature

802.3 LANs

Collision detection (CSMA/CD).

X

Cables are used to interconnect devices.

X

802.11 WLANs

Additional laws and regulations in local areas may apply.

X

Allows for device mobility.

X

Signal interference is normally not a problem.

X

Collision avoidance (CSMA/CA). Connects to an Ethernet switch.

X X

Radio frequencies (RFs) are used to interconnect devices.

X

Connects to an access point.

X

Provides for better security.

X

WLANs Components and Topologies Today, all laptops, tablets, and smartphones include an integrated wireless NIC. However, desktop computers usually do not. In a home or small office network, it might not be desirable or feasible to run cabling to a desktop. In such situations, you can easily install a wireless network interface card (NIC) to provide connectivity. Wireless NICs associate (and possibly authenticate) with an access point (AP). Briefly explain the difference between an autonomous AP and controller-based AP. Autonomous APs are standalone devices configured using the Cisco CLI or a GUI. Autonomous APs are useful in situations where only a couple of APs are required in the network. A home router is a good example of an autonomous AP. Controller-based APs are serverdependent devices that require no initial configuration, but are automatically configured and managed by a WLAN controller. Two or more autonomous APs can be combined into a cluster to ease management requirements. What four conditions must be met before a cluster can be formed: ■

Clustering mode is enabled on the APs.

■

The APs joining the cluster have the same cluster name.

■

The APs are connected on the same network segment.

■

The APs use the same radio mode.

Briefly explain the two main 802.11 wireless topologies:

instructor.indb 44

■

Ad hoc mode: When two devices connect wirelessly without the aid of an infrastructure device, such as a wireless router or AP. Examples include Bluetooth and Wi-Fi Direct.

■

Infrastructure mode: When wireless clients interconnect via a wireless router or AP, such as in WLANs. APs connect to the network infrastructure using the wired distribution system (DS), such as Ethernet.

3/12/14 7:51 AM


45

In Figure 4-1, label the two wireless topologies with either infrastructure mode or ad hoc mode. Figure 4-1

WLAN Topologies

The topology on the left shows an example of infrastructure mode. The topology on the right shows an example of ad hoc mode. Infrastructure mode uses two topology building blocks: a basic service set (BSS) and an extended service set (ESS). Briefly describe each and how they interrelate. A BSS consists of a single AP interconnecting all associated wireless clients. When a single BSS provides insufficient RF coverage, two or more BSSs can be joined through a common distribution system (DS) into an ESS. Lab - Investigating Wireless Implementations (SN 4.1.2.10/SwN 8.1.2.10)

Wireless LAN Operations WLAN operations have similar structures and concepts to Ethernet’s 802.3. 802.11 uses a frame format similar to 802.3, but with more fields. 802.11 uses a collision detection system similar to Ethernet’s carrier sense multiple access collision detect (CSMA/CD). However, Ethernet does not have to worry about finding, authenticating, and associating with an AP. Nor does Ethernet have to worry about managing channels on the wireless radio frequencies. This section reviews the 802.11 frame, CSMA/CA, AP association, and channel management.

Label the 802.11 Frame In Figure 4-2, label each field in the 802.11 frame.

instructor.indb 45

3/12/14 7:51 AM

46


Figure 4-2

802.11 Frame Format

Header

Figure 4-2a

Payload

FCS

Payload

FCS

802.11 Frame Format (answer)

Header

Frame Control

Duration

Address1 Address2 Address3

Sequence Address4 Control

Power Protocol Frame Frame More More ToDS FromDS Retry ManageSecurity Reserved Version Type Subtype Fragments Data ment

instructor.indb 46

3/12/14 7:51 AM


47

Match the subfield description on the left with the subfield on the right. This is a one-to-one matching exercise. Subfield Description e. Indicates whether encryption/authentication is

being used b. Identifies the frame as either a management,

control, or data frame d. Active or power-save mode status of the send-

ing device

Subfield a. Protocol version b. Frame subtype c. FromDS d. Power management e. Security

a. Specifies which 802.11 protocols is being used c. Indicates to an associated AP client that data

is exiting a DS (distributed system)

instructor.indb 47

3/12/14 7:51 AM

48


Wireless Media Contention A wireless device operates in a half-duplex, shared media environment. So, a wireless device must also sense the carrier because multiple devices have access—carrier sense multiple access (CSMA). However, unlike half-duplex Ethernet operations, a wireless device that is sending cannot also listen for collision. Therefore, IEEE developed a collision avoidance (the CA in CSMA/CA) mechanism called the distributed coordination function (DCF). Using DCF, a wireless client transmits only if the channel is clear. All transmissions are acknowledged. Therefore, if a wireless client does not receive an acknowledgment, it assumes a collision occurred and retries after a random waiting interval. In the flowchart in Figure 4-3, label the missing steps in the CSMA/CA process. Figure 4-3

CSMA/CA Process Start

Assemble a Frame

No

Yes

No

Yes Transmit Application Data

End

instructor.indb 48

3/12/14 7:51 AM


Figure 4-3a

49

CSMA/CA Process (answer) Start

Assemble a Frame

Is the Channel Idle?

No

Wait for Random Backoff Time

Yes Transmit RTS

CTS Received?

No

Yes Transmit Application Data

End

instructor.indb 49

3/12/14 7:51 AM

50


Associating with an AP Before a wireless device can communicate over the network, it must first associate with an AP or wireless router. To do so, it must discover and authenticate with an AP. Match the definitions on the left with the association parameter on the right. This is a one-to-one matching activity. Definitions

Security Parameter

e. A unique identifier that wireless clients use to distinguish between multiple wireless networks in the same vicinity

b. Password

d. Identifies the 802.11 WLAN standards supported by the AP

d. Network mode

a. Currently standards include WEP, WPA, or WPA2

a. Security mode c. Channel settings e. SSID

c. Refers to the frequency bands being used to transmit wireless data b. Prevents intruders and other unwanted users from associating with the AP

instructor.indb 50

3/12/14 7:51 AM


51

To discover and connect with an AP or wireless routers, clients use a probing process, which can either be passive or active, as shown in Figure 4-4. Label each example as either passive or active. Figure 4-4

Two Methods to Discover an AP Sender

Sender

Receiver

Beacon Frame (0x08)

Probe Request Frame (0x04)

• SSID • Supported standards • Security settings

Beacon Frame (0x08)

Receiver

• SSID • Supported standards

Probe Response Frame (0x05)



Beacon Frame (0x08) • SSID • Supported standards • Security settings

Passive mode is illustrated on the left. Active mode is illustrated on the right. Briefly explain the two authentication mechanisms: ■

Open authentication: Fundamentally a NULL authentication where the wireless client says “authenticate me” and the AP responds with “yes.” Open authentication provides wireless connectivity to any wireless device and should only be used in situations where security is of no concern.

■

Shared-key authentication: Technique is based on a key that is pre-shared between the client and the AP.

After discovering and authenticating with an AP or wireless router, the wireless device goes through an association process. Label Step 3 in Figure 4-5 with the association substeps. Figure 4-5

instructor.indb 51

The AP Association Process Step 1 (Discovery):

Step 2 (Authentication):

Listen for beacon frames to find WLAN SSIDs (passive mode)

Agree with AP to share Open authentication

or

or

Send a probe request to the AP with or without a known SSID (active mode)

Initiate Shared Key authentication process

Step 3 (Association):

1

1.

Send client’s MAC address to AP.

2.

Receive AP’s MAC address (BSSID).

3.

Receive AP’s association identifier (AID).

2 3

3/12/14 7:51 AM

52


Channel Management Concepts In wireless implementations, a common practice is for the radio wave frequencies to be allocated as ranges. Such ranges are then split into smaller ranges called channels. Depending on the 802.11 standard, there are various ways to manage these channels. Match the channels, frequency modulation technique, or standard on the right with the definitions on the left. Definitions

Channels, Frequency Modulation, and Standards

h. Spreads the signal over larger-frequency bands; used by 802.11b, cordless phones, CDMA cellular, and GPS networks

b. 12

c. Number of channels identified in Europe for 802.11b

d. 1,5,10

e. Nonoverlapping 802.11b channels i. Rapidly switches the signal over many frequency channels; used by the original 802.11 standard, walkie-talkies, and Bluetooth g. Supports four nonoverlapping channels and channel bonding

a. 11 c. 13 e. 1,6,11 f. 802.11g g. 802.11n h. DSSS i. FHSS j. OFDM

a. Number of channels identified in North America for 802.11b j. Maximizes spectral efficiency without causing adjacent channel interference; used by 802.11a/g/n/ad

instructor.indb 52

3/12/14 7:51 AM


53

Wireless LAN Security WLANs present unique security concerns because anyone within range of the AP and with the correct credentials can gain access to the network.

WLAN Security Terminology Match the definitions on the left with the WLAN security terms on the right. This is a one-to-one matching exercise. Definitions k. Wireless home router connected to the corporate network without authorization f. Attacker sends a series of “disassociate” commands to all wireless clients within a BSS g. Attacker takes advantage of the CSMA/CA contention method to monopolize the bandwidth and deny all other clients access to the AP j. The 802.11i industry standard for securing wireless networks b. An AP configured with the same SSID as a legitimate AP

WLAN Security Term a. TKIP b. Man-in-the-middle attack c. SSID cloaking d. AES e. WEP f. Spoofed disconnect attack g. CTS Flood h. WPA i. MAC address filtering j. WPA2 k. Rogue AP

a. Uses Message Integrity Check (MIC) to ensure the message has not been tampered with h. Basically WEP with TKIP encryption e. Obsolete wireless authentication method i. Manually allow or deny based on physical address c. Disable the transmission of the beacon d. Uses Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP), which allows destination hosts to recognize whether the bits have been tampered with

instructor.indb 53

3/12/14 7:51 AM

54


Identify the WLAN Security Characteristics The best way to secure a wireless network is to use authentication and encryption systems. The two major types of authentication are open authentication and shared authentication. Open is basically no authentication. Shared-key authentication comes in three flavors: WEP, WPA, and WPA2. In Table 4-6, indicate the authentication method for each characteristic. Table 4-6

WLAN Security Characteristics

WLAN Security Characteristic

Open Authentication

Shared-Key Authentication WEP

TKIP data encryption

WPA

X

AES data encryption

X

MIC authentication No password authentication

WPA2

X X

Medium security risk

X

Shared-key authentication

X

RC4 data encryption

X

No data encryption

X

Highest security risk

X

Lowest security risk High security risk

X X

CCMP authentication

X

Wireless LAN Configuration Modern wireless routers offer a variety of features, and most are designed to be functional right out of the box with the default settings. However, it is good practice to change this initial configuration—particularly, the default administrator password—so that public known default settings cannot be used to access the wireless settings.

Configuring WLAN Routers and Clients The best way to practice configuring wireless routers is to complete the Lab and Packet Tracer activities associated with the course. You can also make sure your own home router is configured with some of the following settings:

instructor.indb 54

■

Change the administrator password.

■

Change the IP addressing assigned through DHCP to wireless clients.

■

Change the service set identification (SSID) name. However, if you disable SSID broadcasts, users will have to manually enter the SSID.

■

Enable the strongest authentication protocol supported by the wireless router: hopefully WPA2.

3/12/14 7:51 AM


55

■

Enable MAC address filtering if you know the devices that will be joining the WLAN. Otherwise, you will have to manually add new devices each time someone wants to access the WLAN.

■

If desired, configure a guest network and password for guest users to access the WLAN.

If you do not have access to a wireless router, Packet Tracer, or Lab equipment, you can search the Internet for “wireless router configuration simulation.” Several wireless router manufacturers host a simulation web page where you can practice configuring their specific GUI. Lab - Configuring a Wireless Router and Client (SN 4.4.2.3/SwN 8.4.2.3) Packet Tracer Activity

Packet Tracer - Configuring Wireless LAN Access (SN 4.4.2.2/SwN 8.4.2.2)

Troubleshooting WLAN Issues Troubleshooting WLAN issues normally requires an elimination process. Start with the wireless client by checking the following: ■

Does the client have a valid IP address configuration?

■

Can the client successfully access the wired network?

■

Is the client configured with the correct security settings?

■

Is the client configured with the correct channel and SSID?

■

Is the wireless NIC driver up-to-date?

If the wireless client is operating as expected, check the following: ■

Is the AP powered on?

■

How far away is the closest AP?

■

Are other devices in the area interfering with the signal?

■

Are there any cabling or connector issues?

Finally, check the configuration of the AP to verify that it conforms to the desired specifications. Occasionally, issues with the AP software are identified and corrected by the manufacturer. So, you should regularly check to make sure that the firmware is up-to-date on the AP. Packet Tracer Challenge

instructor.indb 55

Packet Tracer - Skills Integration Challenge (SN 4.5.1.2/SwN 8.5.1.2)

3/12/14 7:51 AM

instructor.indb 56

3/12/14 7:51 AM

CHAPTER 5

Adjust and Troubleshoot Single-Area OSPF

Although we will spend a little bit of time on it, you should already know how to configure basic single-area OSPF. This chapter focuses on the concepts and configurations to fine-tune the operation of OSPF, including manipulating the designated router / backup designated router (DR/BDR) election, propagating a default router, fine-tuning Open Shortest Path First (OSPF) Protocol interfaces, and authenticating OSPF neighbors.

instructor.indb 57

3/12/14 7:51 AM

58


Advanced Single-Area OSPF Configurations In this section, we review the concepts and configurations to fine-tune the operation of OSPFv2 and OSPFv3.

Single-Area OSPF Configuration Review The following activity may look familiar to you if you also used the CCENT Practice and Study Guide. It is repeated here so that you can get back up to speed on OSPF before we look at more advanced configurations.

Configuring Single-Area OSPFv2 Figure 5-1 shows the topology that we will use to configure OSPFv2 and OSPFv3. This first topology shows IPv4 network addresses. The IPv4 addressing scheme is in Table 5-1. Figure 5-1

OSPFv2 Topology with IPv4 Network Addresses 192.168.1.0/26

G0/0

S0/0/0

192.168.1.252/30

S0/0/1 192.168.1.248/30 S0/0/1

384 kbps

S0/0/0 DCE

192.168.1.64/26 G0/0

RTB

IPv4 Addressing Scheme for OSPFv2

Device

Interface

IPv4 Address

Subnet Mask

RTA

G0/0

192.168.1.1

255.255.255.192

S0/0/0

192.168.1.253

255.255.255.252

S0/0/1

192.168.1.245

255.255.255.252

Router ID

1.1.1.1

G0/0

192.168.1.65

255.255.255.192

S0/0/0

192.168.1.249

255.255.255.252

S0/0/1

192.168.1.246

255.255.255.252

Router ID

2.2.2.2

G0/0

192.168.1.129

255.255.255.192

S0/0/0

192.168.1.254

255.255.255.252

S0/0/1

192.168.1.250

255.255.255.252

Router ID

3.3.3.3

RTB

RTC

instructor.indb 58

192.168.1.244/30 T1

S0/0/0 DCE

RTC

Table 5-1

S0/0/1 DCE

OSPF Area 0

T1

192.168.1.128/26 G0/0

RTA

3/12/14 7:51 AM

Chapter 5: Adjust and Troubleshoot Single-Area OSPF

59

In the space provided, document the correct commands, including the router prompt, to configure the routers in Figure 5-1 with OSPFv2. Include commands to configure the router ID and disable updates on the LAN interface. RTA(config)# router ospf 1 RTA(config-router)# router-id 1.1.1.1 RTA(config-router)# network 192.168.1.0 0.0.0.63 area 0 RTA(config-router)# network 192.168.1.244 0.0.0.3 area 0 RTA(config-router)# network 192.168.1.252 0.0.0.3 area 0 RTA(config-router)# passive-interface g0/0 RTB(config)# router ospf 1 RTB(config-router)# router-id 2.2.2.2 RTB(config-router)# network 192.168.1.64 0.0.0.63 area 0 RTB(config-router)# network 192.168.1.244 0.0.0.3 area 0 RTB(config-router)# passive-interface g0/0 RTC(config)# router ospf 1 RTC(config-router)# router-id 3.3.3.3 RTC(config-router)#network 192.168.1.128 0.0.0.63 area 0 RTC(config-router)#network 192.168.1.252 0.0.0.3 area 0 RTC(config-router)# passive-interface g0/0

Verifying Single-Area OSPFv2 Fill in the missing command to complete the following sentences: The show ip ospf neighbor command can be used to verify and troubleshoot OSPF neighbor relationships. The show ip protocols command is a quick way to verify vital OSPF configuration information, including the OSPF process ID, the router ID, networks the router is advertising, the neighbors the router is receiving updates from, and the default administrative distance, which is 110 for OSPF. The show ip ospf command can also be used to examine the OSPF process ID and router ID. In addition, this command displays the OSPF area information as well as the last time the SPF algorithm was calculated. The quickest way to verify Hello and Dead intervals is to use the show ip ospf interface command. The quickest way to verify OSPF convergence is to use the show ip route command to view the routing table for each router in the topology.

Configuring Single-Area OSPFv3 Figure 5-2 shows the same topology we used for OSPFv2, but with IPv6 network addresses. Table 5-2 shows the IPv6 addressing scheme.

instructor.indb 59

3/12/14 7:51 AM

60


Figure 5-2

OSPFv3 Topology with IPv6 Network Addresses 2001:DB8:1:1::/64

G0/0

RTA

S0/0/0

2001:DB8:F:AC::/64

OSPF Area 0

T1

2001:DB8:1:3::/64 G0/0

Device

RTA

RTB

RTC

2001:DB8:F:AB::/64 T1

S0/0/0 DCE

S0/0/1 2001:DB8:F:BC::/64

RTC

Table 5-2

S0/0/1 DCE

S0/0/1

384 kbps

S0/0/0 DCE

2001:DB8:1:2::/64 G0/0

RTB

IPv6 Addressing Scheme for OSPFv3 Interface

IPv6 Address/Prefix

G0/0

2001:DB8:1:1::1/64

S0/0/0

2001:DB8:F:AC::1/64

S0/0/1

2001:DB8:F:AB::1/64

Link-local

FE80::A

Router ID

1.1.1.1

G0/0

2001:DB8:1:2::1/64

S0/0/0

2001:DB8:F:BC::1/64

S0/0/1

2001:DB8:F:AB::2/64

Link-local

FE80::B

Router ID

2.2.2.2

G0/0

2001:DB8:1:3::1/64

S0/0/0

2001:DB8:F:AC::2/64

S0/0/1

2001:DB8:F:BC::2/64

Link-local

FE80::C

Router ID

3.3.3.3

The routers are already configured with interface addressing. Record the correct commands, including the router prompt, to configure the routers with OSPFv3. Include commands to enable IPv6 routing, configure the router ID, change the reference bandwidth to 10000, and disable updates on the LAN interface. Except for the router ID, the commands are the same for all three routers. So, you need to document only one router. RTA(config)# ipv6 unicast-routing RTA(config)# ipv6 router ospf 10 RTA(config-rtr)# router-id 1.1.1.1 RTA(config-rtr)# auto-cost reference-bandwidth 10000 RTA(config-rtr)# passive-interface g0/0

instructor.indb 60

3/12/14 7:51 AM


61

RTA(config-rtr)# interface g0/0 RTA(config-if)# ipv6 ospf 10 area 0 RTA(config-if)# interface s0/0/0 RTA(config-if)# ipv6 ospf 10 area 0 RTA(config-if)# interface s0/0/1 RTA(config-if)# ipv6 ospf 10 area 0

Verifying Single-Area OSPFv3 Fill in the missing command to complete the following sentences: The show ipv6 ospf neighbor command can be used to verify and troubleshoot OSPF neighbor relationships. The show ipv6 protocols command is a quick way to verify vital OSPF configuration information, including the OSPF process ID, the router ID, and interfaces the router is advertising. The show ipv6 ospf command can also be used to examine the OSPF process ID and router ID. In addition, this command displays the OSPF area information as well as the last time the SPF algorithm was calculated. To view a quick summary of OSPFv3-enabled interfaces, use the show ipv6 ospf interface brief command. However, the quickest way to verify Hello and Dead intervals is to use the show ipv6 ospf interface command. The quickest way to verify OSPF convergence is to use the show ipv6 route command to view the routing table for each router in the topology. Lab - Configuring Basic Single-Area OSPFv2 (SN 5.1.1.9)

instructor.indb 61

3/12/14 7:51 AM

62


Identify Network Types Match the definition on the left with the network type on the right. This is a one-to-one matching exercise. Definitions

Network Type

e. Connects distant OSPF networks to the backbone area

a. Broadcast multi-access b. Nonbroadcast multi-access

b. Connects multiple routers using Frame Relay

c. Point to multipoint

c. Connects multiple routers in a hub-and-spoke topology

d. Point to point e. Virtual links

d. Connects two routers directly on a single WAN network a. Connects multiple routers using Ethernet technology

instructor.indb 62

3/12/14 7:51 AM


63

In Figure 5-3, label each network type. Figure 5-3

Network Types

Internet

R2

R1

Frame Relay

R3

R3

R3

Starting from the top and going clockwise: point to point, broadcast multi-access, nonbroadcast multi-access (NBMA), point to multipoint.

OSPF and Multi-Access Networks A multi-access network is a network with more than two devices on the same shared media. Examples of multi-access networks include Ethernet and Frame Relay. Frame Relay is a WAN technology that is discussed in a later CCNA course. The following exercises cover the concepts of multi-access networks in OSPF and the DR/BDR election process.

OSPF and Multi-Access Networks Completion Exercise Complete the missing words or phrases in the following paragraphs. On multi-access networks (networks supporting more than two routers) such as Ethernet and Frame-Relay networks, the hello protocol elects a designated router (DR) and a backup designated router (BDR). Among other things, the designated router is responsible for generating LSAs for the entire multi-access network which allows a reduction in routing update traffic. The DR, BDR, and every other router in an OSPF network sends out Hellos using 224.0.0.5 as the destination address. If a DRother (a router that is not the DR) needs to send a link-state advertisement (LSA), it will send it using 224.0.0.6 as the destination address. The DR and the BDR will receive LSAs at this address. The DR/BDR election is based on OSPF priority and OSPF router ID. By default, all OSPF routers have a priority of 1. If all OSPF routers have the same priority, the highest router ID determines the DR and BDR. If the router ID is not explicitly configured and a loopback interface is not configured, the highest IP address on an active interface at the moment of OSPF process startup is used as the router ID. In Figure 5-4, label the steps taken to elect the DR.

instructor.indb 63

3/12/14 7:51 AM

64


Figure 5-4

Steps in the DR Election Process

Step 2a

If router values from Step 1 are exactly the same,then...

Step 1

Step 2

Step 2b

Step 2c

Step 1: Highest interface priority values. Step 2: Highest router ID. Step 2a: Highest manually configured router ID. Step 2b: Highest loopback address. Step 2c: Highest active interface IP address. Use the topology in Figure 5-5 to determine the router ID for each router, and then determine which router will be the DR, if applicable. Figure 5-5

Determine the Router ID RTF

G0/0: 10.1.19.1/24

S0/0: 209.165.201.2/27

Lo0: 192.168.10.5/32 RTA

S0/0: 10.1.16.2/30

RTB

G0/1: 10.1.10.4/24

S0/0: 10.1.16.1/30 Lo0 192.168.10.1/32

RTE

S0/0: 209.165.201.1/27

G0/0: 10.1.10.2/24

G0/1: 10.1.10.3/24 Lo0: 192.168.10.3/32

RTD

G0/0: 10.1.13.2/24

G0/1: 10.1.10.1/24 RTC

G0/0: 10.1.13.1/24

In Table 5-3, record the router ID for each router. Table 5-3

Listing of Router IDs

Device

Router ID

Router A

192.168.10.5

Router B

209.165.201.1

Router C

10.1.10.1

Router D

192.168.10.3

Router E

192.168.10.1

Router F

209.165.201.2

In Table 5-4, determine whether a DR will be elected for each network and record the DR’s hostname. If no DR is elected, indicate so with “none.”

instructor.indb 64

3/12/14 7:51 AM


Table 5-4

65

Listing of DRs

Network

DR

209.165.201.0

None

10.1.16.0

None

10.1.13.0

Router D

10.1.10.0

Router B

Note: Configure your OSPFv2 routers with a router ID to control the DR/BDR election. With OSPFv3, you must configure a router ID.

Setting the priority on the interface is another way to control DR or BDR. In addition to configuring loopbacks, it is a good idea to configure RTA with an OSPF priority that will ensure it always wins the DR/BDR election. The syntax for configuring OSPF priority is as follows: Router(config-if)# ip ospf priority priority

Document the commands you use to configure on RTA to make sure that its priority will always win the DR/BDR election. RTA(config)# interface Fa 0/0 RTA(config-if)# ip ospf priority 2 !Any priority higher than the default of 1 will work.

DR/BDR Election Exercise In the following exercises, assume that all routers are simultaneously booted and that router priorities are set to the default. Determine the network type, if applicable, and label which router is elected as the DR and which router is elected as the BDR. Refer to Figure 5-6 and answer the following questions. Figure 5-6

DR/BDR Election Exercise 1 Topology Fa0/0 = 172.16.1.1 Lo0 = 192.168.1.4

Fa0/0 = 172.16.1.2 Lo0 = 192.168.1.3

RTA

RTB

RTC

RTD

Fa0/0 = 172.16.1.3 S0/0/0 = 192.168.5.1 Lo0 = 192.168.1.2

Fa0/0 = 172.16.1.4 S0/0/0 = 192.168.5.2 Lo0 = 192.168.1.1

What is the router ID for RTA? 192.168.1.4 What is the router ID for RTB? 192.168.1.3 What is the router ID for RTC? 192.168.1.2 What is the router ID for RTD? 192.168.1.1

instructor.indb 65

3/12/14 7:51 AM

66


Which router will be elected DR? RTA Which router will be elected BDR? RTB Refer to Figure 5-7 and determine whether there will be a DR/BDR election. If applicable, designate which router is DR and which router is BDR. Figure 5-7

DR/BDR Election Exercise 2 Topology 172.15.1.1/30 S0/0/0

172.18.1.2/30 S0/0/1

RTA

172.15.1.2/30 S0/0/0

172.18.1.1/30 S0/0/0

RTD

RTB

Fa0/0 172.16.1.2/24

Fa0/0 172.17.1.2/24

Fa0/1 172.16.1.1/24

Fa0/0 172.17.1.1/24

RTC

Network

DR/BDR Election?

Which Router Is the DR?

Which Router Is the BDR?

172.15.1.0/30

No

N/A

N/A

172.16.1.0/24

Yes

RTC

RTD

172.17.1.0/24

Yes

RTB

RTC

172.18.1.0/30

No

N/A

N/A

Refer to Figure 5-8 and answer the following questions. Figure 5-8

DR/BDR Election Exercise 3 Topology Fa0/0 = 192.168.0.1/24 S0/0/0 = 209.165.201.2/30

RTA

S0/0/0

ISP S0/0/0 = 209.165.201.1/30

Fa0/0

OSPF Area 0 Fa0/0

Fa0/0 S0/0/0

RTC

S0/0/0

Fa0/0 = 192.168.0.3/24 S0/0/0 = 192.168.1.3/30 Lo0 = 10.1.1.1/32

instructor.indb 66

RTB Fa0/0 = 192.168.0.2/24 S0/0/0 = 192.168.1.2/30

3/12/14 7:51 AM


67

What is the router ID for RTA? 209.165.201.2 What is the router ID for RTB? 192.168.1.2 What is the router ID for RTC? 10.1.1.1 Which router is DR for the 192.168.0.0/24 network? RTA Which router is BDR for the 192.168.0.0/24 network? RTB Now assume a priority of zero on RTA. Which router is DR for the 192.168.1.0/24 network? RTB What will happen if another router, RTD, joins the 192.168.0.0/24 network with a router ID of 209.165.201.9? Nothing. Both the DR and BDR have to go down before RTD can become the DR.

Redistributing an OSPF Default Route Exercise In some topology configurations and routing policy situations, it is desirable to have an Autonomous System Boundary Router (ASBR) redistribute a default route to the OSPF neighbors in the area. This can be quickly accomplished in both OSPFv2 and OSPFv3.

OSPFv2 Default Route Redistribution In Figure 5-9, notice that RTA is now our gateway router because it provides access outside the area. In OSPF terminology, RTA is called the Autonomous System Boundary Router (ASBR) because it connects to an external routing domain that uses a different routing policy. Figure 5-9

Propagating a Default Route in OSPFv2 192.168.1.0/26

Default Route

G0/0

S0/0/0 DCE

S0/1/0

Address Space 192.168.1.0/24

RTA S0/0/0

209.165.201.2/30 S0/0/1 DCE

RTA Propagates Default Route to RTB and RTC

192.168.1.252/30 T1

209.165.201.1/30

ISP

Static Route

192.168.1.244/30

Public Web Server

T1

209.165.202.129/30

S0/0/0 DCE

192.168.1.128/26 G0/0

RTC

OSPF Area 0 192.168.1.64/26

S0/0/1 384 kbps

S0/0/0 DCE

S0/0/1 192.168.1.248/30

G0/0

RTB

Each routing protocol handles the propagation of default routing information a little differently. For OSPF, the gateway router must be configured with two commands. First, RTA will need a static default route pointing to ISP. Document the command to configure a static default route on RTA using the exit interface argument. RTA(config)# ip route 0.0.0.0 0.0.0.0 serial 0/1/0

instructor.indb 67

3/12/14 7:51 AM

68


Using the exit interface argument, document the command necessary to configure ISP with a static route pointing to the 192.168.1.0/24 address space. ISP(config)# ip route 192.168.1.0 255.255.255.0 serial 0/0/0

At this point, any host on the LAN attached to RTA will be able to access ISP and be able to ping the Public Web Server at 209.165.202.129. However, RTB and RTC still cannot ping outside the 192.168.1.0/24 address space. Why? Because neither router has a default route Document the command that needs to be configured on RTA to fix this problem. RTA(config)# router ospf 1 RTA(config-router)# default-information originate

OSPFv3 Default Route Redistribution Configuring OSPFv3 to propagate a default route is essentially the same tasks as you do in OSPFv2. Figure 5-10 is an IPv6 version of Figure 5-9. Figure 5-10

Propagating a Default Route in OSPFv3 2001:DB8:1:1::/64 2001:DB8:CAFE:1::F/64 Default Route

G0/0

S0/0/0 DCE

S0/1/0

Address Space 2001:DB:1::/48

RTA S0/0/0

209.165.201.2/30 S0/0/1 DCE

RTA Propagates Default Route to RTB and RTC

2001:DB8:1:AC::/64 T1

209.165.201.1/30

ISP

Static Route

2001:DB8:1:AB::/64

Public Web Server

T1

2001:DB8:CAFE:F::F/64

S0/0/0 DCE

2001:DB8:1:3::/64 G0/0

RTC

OSPF Area 0 2001:DB8:1:2::/64

S0/0/1 384 kbps

S0/0/0 DCE

S0/0/1 2001:DB8:1:BC::/64

G0/0

RTB

Document the command to configure a static default route on RTA using the exit interface argument. RTA(config)# ipv6 route ::/0 serial 0/1/0

Using the exit interface argument, document the command necessary to configure ISP with a static route pointing to the 2001:DB8:1::/48 address space. ISP(config)# ipv6 route 2001:DB8:1::/48 serial 0/0/0

Document the command that will cause RTA to propagate the default router to RTB and RTC. RTA(config)#ipv6 router ospf 1 RTA(config-rtr)#default-information originate

instructor.indb 68

3/12/14 7:51 AM


69

Fine-Tuning OSPF Interfaces OSPF routers must use matching Hello intervals and Dead intervals on the same link. The default interval values result in efficient OSPF operation and seldom need to be modified. However, you can change them. Again, refer to Figure 5-9. Assuming that the current intervals are 10 and 40, document the commands necessary to change these OSPFv2 intervals on the link between RTB and RTC to a value four times greater than the current value. RTB(config)# interface serial 0/0/0 RTB(config-if)# ip ospf hello-interval 40 RTB(config-if)# ip ospf dead-interval 160 RTC(config)# interface serial 0/0/1 RTC(config-if)# ip ospf hello-interval 40 RTC(config-if)# ip ospf dead-interval 160

Note that it is not necessary to configure the Dead interval as long as the desired interval is four times the Hello. The IOS will automatically increase the Dead interval to four times the configured Hello interval. Now refer to Figure 5-10. Assuming that the current intervals are 10 and 40, document the commands necessary to change the OSPFv3 intervals on the link between RTB and RTC to a value four times greater than the current value. RTB(config)# interface serial 0/0/0 RTB(config-if)# ipv6 ospf hello-interval 40 RTB(config-if)# ipv6 ospf dead-interval 160 RTC(config)# interface serial 0/0/1 RTC(config-if)# ipv6 ospf hello-interval 40 RTC(config-if)# ipv6 ospf dead-interval 160

Other than the show run command, what commands can you use to verify OSPF timers on an interface for both IPv4 and IPv6? show ip ospf interface show ipv6 ospf interface

Securing OSPFv2 with MD5 Authentication Because routers are targets for network attacks, you should always configure authentication services for OSPFv2 using the strongest authentication available: MD5 (message digest algorithm 5). Assume the routers in Figure 5-11 are using MD5 authentication to exchange OSPFv2 routing updates. Briefly explain the steps in MD5 authentication as R1 sends an OSPF message to R2. Figure 5-11

OSPFv2 MD5 Authentication Between R1 and R2 S0/0/0 R1

instructor.indb 69

S0/0/1

R2

3/12/14 7:51 AM

70


Both routers are configured with a pre-shared key. So when R1 has a message to send to R2, it combines the message with the key using MD5 to calculate a signature—known as a hash value. R1 adds the signature to the message and sends it to R2. Once received by R2, it combines the message with the key and uses MD5 to calculate the signature. If signatures match, R2 accepts the message. If not, R2 discards the message. You can configure OSPFv2 MD5 authentication globally, forcing all OSPF interfaces to use authentication. Or you can configure authentication on specific interfaces. Document the command syntax, including the router prompt, to enable OSPFv2 MD5 authentication on all interfaces. In router configuration mode: Router(config-router)# area area-id authentication message-digest

Then on each interface: Router(config-if)# ip ospf message-digest-key key md5 password

Document the command syntax including the router prompt to enable OSPFv2 MD5 authentication only on specific interfaces. On a specific interface: Router(config-if)# ip ospf message-digest-key key md5 password Router(config-if)# ip ospf authentication message-digest

Refer to Figure 5-9. Document the commands to configure RTA to use MD5 authentication globally on all OSPF interfaces. Choose your own process ID and key values. RTA(config)# router ospf 1 RTA(config-router)# area 0 authentication message-digest RTA(config-router)# interface s0/0/0 RTA(config-if)# ip ospf message-digest-key 1 md5 cisco123 RTA(config-if)# interface s0/0/1 RTA(config-if)# ip ospf message-digest-key 1 md5 cisco123

Document the commands to configure RTB to use MD5 authentication on the serial interfaces only. Choose your own process ID and key values. RTB(config)# interface s0/0/0 RTB(config-if)# ip ospf message-digest-key 1 md5 cisco123 RTB(config-if)# ip ospf authentication message-digest RTB(config-if)# interface s0/0/1 RTB(config-if)# ip ospf message-digest-key 1 md5 cisco123 RTB(config-if)# ip ospf authentication message-digest

What command can you use to verify OSPF MD5 authentication? show ip ospf interface Note: Cisco IOS supports a simple authentication method. However, this method sends the password in plain text. Therefore, it is not considered a best practice.

instructor.indb 70

3/12/14 7:51 AM


71

Lab - Configuring OSPFv2 Advance Features (SN 5.1.5.8/RP 7.1.4.8) Packet Tracer Activity

Packet Tracer - Configuring OSPFv2 Advance Features (SN 5.1.5.7/RP 7.1.4.7)

Troubleshooting Single-Area OSPF Implementations Troubleshooting single-area OSPF is required skill for any network professional involved in the implementation and maintenance of an OSPF network. Solid understanding of OSPF operation and the impact of the OSPF configuration commands is essential.

OSPF Adjacency Issues A common problem in OSPF convergence is a lack of adjacency with OSPF neighbors. List at least four reasons why adjacency might fail to establish. ■

The interfaces are not on the same network.

■

OSPF network types do not match.

■

OSPF Hello or Dead timers do not match.

■

Interface to neighbor is incorrectly configured as passive.

■

There is a missing or incorrect OSPF network command (OSPFv2), or OSPF is not configured correctly on the interface (OSPFv3).

■

Authentication is misconfigured.

What are the OSPFv2 and OSPFv3 commands you use to quickly verify adjacency between OSPF routers? show ip ospf neighbors show ipv6 ospf neighbors The command will list a state for each known OSPF router. What are the seven states OSPF transitions through on its way to convergence? Down, Init, Two-Way, Exstart, Exchange, Loading, Full

Identify OSPFv2 Troubleshooting Commands The following output is from the topology shown in Figure 5-9. Indicate the command used to generate the output. RTA# show ip route ospf Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route

instructor.indb 71

3/12/14 7:51 AM

72


o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP + - replicated route, % - next hop override

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

192.168.1.0/24 is variably subnetted, 9 subnets, 3 masks O

192.168.1.64/26 [110/65] via 192.168.1.246, 00:19:35, Serial0/0/1

O

192.168.1.128/26 [110/65] via 192.168.1.254, 00:19:10, Serial0/0/0

O

192.168.1.248/30 [110/128] via 192.168.1.254, 00:19:10, Serial0/0/0 [110/128] via 192.168.1.246, 00:19:35, Serial0/0/1

RTA# show ip ospf neighbor

Neighbor ID

Pri

State

192.168.1.254

0

FULL/

192.168.1.249

0

FULL/

Dead Time

Address

Interface

-

00:00:31

192.168.1.254

Serial0/0/0

-

00:00:32

192.168.1.246

Serial0/0/1

RTA# show ip ospf interface serial 0/0/0 Serial0/0/0 is up, line protocol is up Internet Address 192.168.1.253/30, Area 0, Attached via Network Statement Process ID 1, Router ID 192.168.1.253, Network Type POINT_TO_POINT, Cost: 64 Topology-MTID

Cost

Disabled

Shutdown

0

64

no

no

Topology Name Base

Transmit Delay is 1 sec, State POINT_TO_POINT Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 oob-resync timeout 40 Hello due in 00:00:03 Supports Link-local Signaling (LLS) Cisco NSF helper support enabled IETF NSF helper support enabled Index 3/3, flood queue length 0 Next 0x0(0)/0x0(0) Last flood scan length is 1, maximum is 1 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 192.168.1.254 Suppress hello for 0 neighbor(s) RTA# show ip protocols *** IP Routing is NSF aware ***

Routing Protocol is "ospf 1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 192.168.1.253 It is an autonomous system boundary router

instructor.indb 72

3/12/14 7:51 AM


73

Redistributing External Routes from, Number of areas in this router is 1. 1 normal 0 stub 0 nssa Maximum path: 4 Routing for Networks: 192.168.1.0 0.0.0.63 area 0 192.168.1.244 0.0.0.3 area 0 192.168.1.252 0.0.0.3 area 0 Routing Information Sources: Gateway

Distance

Last Update

192.168.1.246

110

00:18:13

192.168.1.254

110

00:17:48

Distance: (default is 110) RTA# show ip ospf Routing Process "ospf 1" with ID 192.168.1.253 Start time: 00:44:46.536, Time elapsed: 00:23:27.360 Supports only single TOS(TOS0) routes Supports opaque LSA Supports Link-local Signaling (LLS) Supports area transit capability Supports NSSA (compatible with RFC 3101) Event-log enabled, Maximum number of events: 1000, Mode: cyclic It is an autonomous system boundary router Redistributing External Routes from, Router is not originating router-LSAs with maximum metric Initial SPF schedule delay 5000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs Incremental-SPF disabled Minimum LSA interval 5 secs Minimum LSA arrival 1000 msecs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 1. Checksum Sum 0x003416 Number of opaque AS LSA 0. Checksum Sum 0x000000 Number of DCbitless external and opaque AS LSA 0 Number of DoNotAge external and opaque AS LSA 0 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Number of areas transit capable is 0 External flood list length 0 IETF NSF helper support enabled Cisco NSF helper support enabled

instructor.indb 73

3/12/14 7:51 AM

74


Reference bandwidth unit is 100 mbps Area BACKBONE(0) Number of interfaces in this area is 3 Area has no authentication SPF algorithm last executed 00:16:47.472 ago SPF algorithm executed 4 times Area ranges are Number of LSA 3. Checksum Sum 0x00E037 Number of opaque link LSA 0. Checksum Sum 0x000000 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0

Identify OSPFv3 Troubleshooting Commands The following output is from the topology shown in Figure 5-10. Indicate the command used to generate the output. RTC# show ipv6 protocols IPv6 Routing Protocol is "connected" IPv6 Routing Protocol is "ND" IPv6 Routing Protocol is "ospf 1" Router ID 3.3.3.3 Number of areas: 1 normal, 0 stub, 0 nssa Interfaces (Area 0): GigabitEthernet0/0 Serial0/0/1 Serial0/0/0 Redistribution: None RTC# show ipv6 ospf neighbor

OSPFv3 Router with ID (3.3.3.3) (Process ID 1)

Neighbor ID

Pri

State

2.2.2.2

0

FULL/

1.1.1.1

0

FULL/

Dead Time

Interface ID

Interface

-

00:00:39

6

Serial0/0/1

-

00:00:31

6

Serial0/0/0

RTC# show ipv6 ospf interface serial 0/0/1 Serial0/0/1 is up, line protocol is up Link Local Address FE80::C, Interface ID 7 Area 0, Process ID 1, Instance ID 0, Router ID 3.3.3.3 Network Type POINT_TO_POINT, Cost: 64 Transmit Delay is 1 sec, State POINT_TO_POINT

instructor.indb 74

3/12/14 7:51 AM


75

Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:06 Graceful restart helper support enabled Index 1/2/2, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 2, maximum is 4 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 2.2.2.2 Suppress hello for 0 neighbor(s) RTC# show ipv6 ospf Routing Process "ospfv3 1" with ID 3.3.3.3 Event-log enabled, Maximum number of events: 1000, Mode: cyclic Router is not originating router-LSAs with maximum metric Initial SPF schedule delay 5000 msecs Minimum hold time between two consecutive SPFs 10000 msecs Maximum wait time between two consecutive SPFs 10000 msecs Minimum LSA interval 5 secs Minimum LSA arrival 1000 msecs LSA group pacing timer 240 secs Interface flood pacing timer 33 msecs Retransmission pacing timer 66 msecs Number of external LSA 1. Checksum Sum 0x00B657 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Graceful restart helper support enabled Reference bandwidth unit is 100 mbps RFC1583 compatibility enabled Area BACKBONE(0) Number of interfaces in this area is 3 SPF algorithm executed 4 times Number of LSA 15. Checksum Sum 0x07E293 Number of DCbitless LSA 0 Number of indication LSA 0 Number of DoNotAge LSA 0 Flood list length 0 RTC#show ipv6 route ospf IPv6 Routing Table - default - 11 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2 IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

instructor.indb 75

3/12/14 7:51 AM

76


OE2 ::/0 [110/1], tag 1 via FE80::A, GigabitEthernet0/0 O

2001:DB8:1:1::/64 [110/1] via GigabitEthernet0/0, directly connected

O

2001:DB8:1:AB::/64 [110/65] via FE80::B, GigabitEthernet0/0

O

2001:DB8:2:1::/64 [110/1] via GigabitEthernet0/0, directly connected

Lab - Troubleshooting Basic Single-Area OSPFv2 and OSPFv3 (SN 5.2.3.3/RP 7.2.3.3) Lab - Troubleshooting Advanced Single-Area OSPFv2 (SN 5.2.3.4/RP 7.2.3.4) Packet Tracer Activity

instructor.indb 76

Packet Tracer - Troubleshooting Single-Area OSPFv2 (SN 5.2.2.3/RP 7.2.2.3) Packet Tracer - Skills Integration Challenge (SN 5.3.1.2/RP 7.3.1.2)

3/12/14 7:51 AM

CHAPTER 6

Multiarea OSPF

In larger network implementations, single-area OSPF can require a significant amount of CPU and memory resources. As the number of routers grows, network administrators often implement multiarea OSPF to control the size of link-state databases, routing table entries, and the number of SPF calculations. This chapter reviews the concepts and configurations for multiarea OSPFv2 and OSPFv3.

instructor.indb 77

3/12/14 7:51 AM

78


Multiarea OSPF Operation Multiarea OSPF was specifically designed to address several issues that result from single-area OSPF growing beyond its constraints.

Multiarea OSPF Terminology and Concepts Briefly describe three issues that arise if an OSPF area becomes too big. ■

OSPF does not perform route summarization by default, so the routing table can become very large.

■

The LSDB includes every link in the area which each router must maintain, even if every link is not selected for the routing table.

■

In areas that are too large, recalculating the SFP algorithm consumes many CPU cycles.

Briefly describe the role of each of the following OSPF router types. ■

Internal router: A router with all of its interfaces in the same area

■

Backbone router: A router that belongs to backbone area which is, by convention, configured as area 0

■

Area Border Router (ABR): A router with interfaces attached to multiple OSPF areas, but not an external network

■

Autonomous System Boundary Router (ASBR): A router with at least one interface attached to an external, non-OSPF network

In Table 6-1, indicate the OSPF router type for each router in Figure 6-1. A router can be more than one type. Figure 6-1

Sample Multiarea OSPF Topology Area 1

Area 0

R1

Area 2

BB2

R2

BB3

BB1

R4 R3

BB4

External AS

instructor.indb 78

3/12/14 7:51 AM

Chapter 6: Multiarea OSPF

Table 6-1

79

Indentify the OSPF Router Type

OSPF Router Type

BB1

BB2

BB3

X

Internal router Backbone router

X

Area Border Router (ABR)

X

X

X

BB4

R1

R2

R3

R4

X

X

X

X

X

X

X X

Autonomous System Boundary Router (ASBR)

Multiarea OSPF LSA Operation Although the RFCs for OSPF specify up to 11 different LSA types, at the CCNA level we are only concerned with the first 5. In Table 6-2, indicate the name for each LSA type. Table 6-2

Most Common OSPF LSA Types

LSA Type

Description

1

Router LSA

2

Network LSA

3 and 4

Summary LSAs

5

AS External LSA

Refer to Figure 6-1. In Table 6-3, indicate which LSA type is used in each of the scenarios. Table 6-3

Determine the LSA Type

LSA Scenario

Type 1

Type 2

Type 3

Type 4

BB1 is advertising to Area 1 a link to an external autonomous system. BB1 and BB3 do not forward these LSAs into Area 0.

X X

As DR, R2 sends this LSA type to R3.

X

BB4 is advertising an external network to BB3 and BB1.

X

BB3 is advertising to Area 2 that BB4 is the ASBR. BB2 is advertising its directly connected OSPF-enabled links to BB1 and BB3.

Type 5

X X

BB2 is advertising the links in Area 0 to the routers in Area 1.

X

OSPF Routing Table and Types of Routes Because of the different LSA types with routes originating from different areas and from nonOSPF networks, the routing table uses different codes to identify the various types of routes. Refer to Example 6-1. Briefly describe each of the three OSPF route types shown.

instructor.indb 79

3/12/14 7:51 AM

80


Example 6-1

A Sample Multiarea OSPF Routing Table

BB1# show ip route | begin Gateway Gateway of last resort is 10.0.0.1 to network 0.0.0.0

O*E2

0.0.0.0/0 [110/1] via 10.0.0.1, 00:02:16, Serial0/0/0 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C

10.0.0.0/30 is directly connected, Serial0/0/0

L

10.0.0.2/32 is directly connected, Serial0/0/0

O


C

172.16.0.0/23 is directly connected, GigabitEthernet0/0

L


C


L


O

172.16.5.0/24 [110/65] via 10.0.0.1, 00:03:24, Serial0/0/0

O IA

172.16.16.0/21 [110/129] via 10.0.0.1, 00:03:24, Serial0/0/0

O IA

172.16.24.0/21 [110/129] via 10.0.0.1, 00:03:24, Serial0/0/0

BB1#

O: Indicates the router received router (type 1) and network (type 2) LSAs describing the details within an area, meaning that the route is intra-area. O IA: Indicates the router received a summary (type 3) LSA from an ABR. This is an interarea route. O*E2: Indicates the router received an AS External (type 5) LSA either from an ABR or an ASBR. This is an external route. List the steps in order that OSPF uses to calculate the best paths. 1. Calculate intra-area OSPF routes. 2. Calculate best path to interarea OSPF routes. 3. Calculate best path route to external non-OSPF networks.

Configuring Multiarea OSPF At the CCNA level, the configuration of multiarea OSPF is rather straightforward if you are already comfortable configuring single-area OSPF. This section reviews configuring and verifying multiarea OSPFv2 and OSPFv3.

Configuring Multiarea OSPF We will use the topology in Figure 6-2 and the addressing in Table 6-4 to configure a dualstack network running multiarea OSPFv2 and OSPFv3.

instructor.indb 80

3/12/14 7:51 AM


Figure 6-2

81

Dual-Stacked Multiarea OSPF Topology Area 0 172.16.5.0/24 2001:DB8:5:1::/64

G0/0 .1 Lo0 BB2

.1 10.0.0.0/30 2001:DB8:0:E::/64

.2

Area 1

S0/0/0

Internet

.1

S0/0/0 S0/0/1

10.0.1.0/30 2001:DB8:0:F::/64

S0/0/1

BB1 .1 G0/0 G0/1 .1

172.16.0.0/23 2001:DB8:1:1::/64

209.165.201.0/30 2001:DB8:F:F::/64

Area 2

172.16.2.0/23 2001:DB8:1:2::/64

.2

BB3 .1 G0/0 G0/1 .1

172.16.16.0/21 2001:DB8:3:1::/64

172.16.24.0/21 2001:DB8:3:2::/64

Based on the addressing shown in the topology, finish documenting the addressing scheme in Table 6-4. Table 6-4

Addressing for the Dual-Stacked Multiarea OSPF Topology

Device

Interface

Addressing Information

BB1

G0/0

172.16.0.0

255.255.254.0

2001:DB8:1:1::2/64 G0/1

172.16.2.0

255.255.254.0

2001:DB8:1:2::2/64 S0/0/0

10.0.0.2

255.255.255.252

2001:DB8:0:E::2/64 Link-Local BB2

FE80::1

Router ID

1.1.1.1

G0/0

172.16.5.1

255.255.255.0

2001:DB8:5:1::1/64 S0/0/0

10.0.0.1

255.255.255.252

2001:DB8:0:E::1/64 S0/0/1

10.0.1.1

255.255.255.252

2001:DB8:0:F::1/64 Lo0

209.165.201.1

255.255.255.252

2001:DB8:F:F::1/64

instructor.indb 81

Link-Local

FE80::2

Router ID

2.2.2.2

3/12/14 7:51 AM

82


Device

Interface


BB3

G0/0

172.16.16.1

255.255.248.0

2001:DB8:3:1::2/64 G0/1

172.16.24.0

255.255.248.0

2001:DB8:3:2::2/64 S0/0/1

10.0.1.2

255.255.255.252

2001:DB8:0:F::2/64 Link-Local

FE80::3

Router ID

3.3.3.3

The only difference between configuring single-area OSPF and multiarea OSPF is assigning the area value. Recall that for OSPFv2, you configure the area as part of the network command in OSPF router configuration mode. In OSPFv3, you configure the area as part of the ipv6 ospf command in interface configuration mode. Document the OSPFv2 and OSPFv3 routing configurations for all three routers. Include default routing to the Internet with BB2 redistributing the IPv4 and IPv6 default routes to BB1 and BB2. !BB1!!!!!!!!!!!!!!!!!!! router ospf 10 router-id 1.1.1.1 network 172.16.0.0 0.0.1.255 area 1 network 172.16.2.0 0.0.1.255 area 1 network 10.0.0.0 0.0.0.3 area 0 ipv6 router ospf 10 router-id 1.1.1.1 interface g0/0 ipv6 ospf 10 area 1 interface g0/1 ipv6 ospf 10 area 1 interface s0/0/0 ipv6 ospf 10 area 0 !BB2!!!!!!!!!!!!!!!!!!! ip route 0.0.0.0 0.0.0.0 Lo0 ipv6 route ::/0 Lo0 router ospf 10 router-id 2.2.2.2 network 172.16.5.0 0.0.0.255 area 0 network 10.0.0.0 0.0.0.3 area 0 network 10.0.1.0 0.0.0.3 area 0 default-information originate ipv6 router ospf 10 router-id 2.2.2.2

instructor.indb 82

3/12/14 7:51 AM


83

default-information originate interface g0/0 ipv6 ospf 10 area 0 interface s0/0/0 ipv6 ospf 10 area 0 interface s0/0/1 ipv6 ospf 10 area 0 !BB3!!!!!!!!!!!!!!!!!!! router ospf 10 router-id 3.3.3.3 network 172.16.16.0 0.0.7.255 area 2 network 172.16.24.0 0.0.7.255 area 2 network 10.0.1.0 0.0.0.3 area 0 ipv6 router ospf 10 router-id 3.3.3.3 interface g0/0 ipv6 ospf 10 area 2 interface g0/1 ipv6 ospf 10 area 2 interface s0/0/1 ipv6 ospf 10 area 0

Configuring Route Summarization for Multiarea OSPFv2 ABRs do not automatically summarize network addresses across area boundaries. To reduce the size of routing tables, you can manually configure ABRs and ASBRs to summarize networks so that they will then inject them into another area. In Figure 6-2, BB1 and BB3 can summarize the two LANs into one network advertisement. What is the command syntax to configure an ABR interarea summary route? Router(config-router)# area area-id range address mask

What is the summary route for the two LANs attached to BB1: Address: 172.16.0.0 Mask: 255.255.252.0 Document the command to configure BB1 with an interarea summary route. BB1(config-router)# area 1 range 172.16.0.0 255.255.252.0

What is the summary route for the two LANs attached to BB3: Address: 172.16.16.0 Mask: 255.255.240.0 Document the command to configure BB3 with an interarea summary route. BB3(config-router)# area 2 range 172.16.16.0 255.255.240.0

Your OSPF routing tables should look like the output in Example 6-2.

instructor.indb 83

3/12/14 7:51 AM

84


Example 6-2

Multiarea OSPFv2 and OSPFv3 Routing Tables

BB1# show ip route ospf | begin Gateway Gateway of last resort is 10.0.0.1 to network 0.0.0.0

O*E2


O


O

172.16.0.0/22 is a summary, 00:08:36, Null0

O

172.16.5.0/24 [110/65] via 10.0.0.1, 00:08:36, Serial0/0/0

O IA

172.16.16.0/20 [110/129] via 10.0.0.1, 00:04:44, Serial0/0/0

BB1# show ipv6 route ospf | begin OE2 OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 OE2 ::/0 [110/1], tag 10 via FE80::2, Serial0/0/0 O

2001:DB8:0:F::/64 [110/128]

OI

2001:DB8:3:1::/64 [110/129]

via FE80::2, Serial0/0/0

via FE80::2, Serial0/0/0 OI

2001:DB8:3:2::/64 [110/129]

O

2001:DB8:5:1::/64 [110/65]


via FE80::2, Serial0/0/0 BB1# BB2# show ip route ospf | begin Gateway Gateway of last resort is 0.0.0.0 to network 0.0.0.0

172.16.0.0/16 is variably subnetted, 4 subnets, 4 masks O IA

172.16.0.0/22 [110/65] via 10.0.0.2, 00:09:51, Serial0/0/0

O IA

172.16.16.0/20 [110/65] via 10.0.1.2, 00:05:59, Serial0/0/1

BB2# show ipv6 route ospf | begin OI OI

2001:DB8:1:1::/64 [110/65]

OI

2001:DB8:1:2::/64 [110/65]

2001


via FE80::1, Serial0/0/0 OI

2001:DB8:3:1::/64 [110/65]

OI

2001:DB8:3:2::/64 [110/65]


via FE80::3, Serial0/0/1 BB2# BB3# show ip route ospf | begin Gateway Gateway of last resort is 10.0.1.1 to network 0.0.0.0

instructor.indb 84

3/12/14 7:51 AM


O*E2

85


O


O IA

172.16.0.0/22 [110/129] via 10.0.1.1, 00:05:31, Serial0/0/1

O

172.16.5.0/24 [110/65] via 10.0.1.1, 00:05:31, Serial0/0/1

O

172.16.16.0/20 is a summary, 00:05:31, Null0

BB3# show ipv6 route ospf | begin OE2 OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 OE2 ::/0 [110/1], tag 10 via FE80::2, Serial0/0/1 O

2001:DB8:0:E::/64 [110/128] via FE80::2, Serial0/0/1

OI

2001:DB8:1:1::/64 [110/129]

OI

2001:DB8:1:2::/64 [110/129]


via FE80::2, Serial0/0/1 O

2001:DB8:5:1::/64 [110/65] via FE80::2, Serial0/0/1

BB3#

Verifying Multiarea OSPF In Table 6-5, indicate which command or commands will provide the multiarea OSPFv2 verification information. Table 6-5

Multiarea OSPFv2 Verification Commands

Verification Information

Process ID

show ip protocols

show ip ospf interface brief

X

X

X

X X

Interface Cost Router ID

X

Administrative Distance

X

Number of Areas

X

Networks from Other Areas

X X X X

All Known Routes Total Cost of Route

show ip ospf database

X

State of OSPF Interface Networks Configured

show ip route ospf

X

Verification commands for multiarea OSPFv3 are almost identical to OSPFv2. In Table 6-6, indicate which command or commands will provide the multiarea OSPFv3 verification information.

instructor.indb 85

3/12/14 7:51 AM

86


Table 6-6

Multiarea OSPFv3 Verification Commands

Verification Information

show ipv6 protocols

show ipv6 ospf interface brief

show ipv6 route ospf

show ipv6 ospf database

X

Administrative Distance

X

All Known Routes X

Interface Cost

X

Networks from Other Areas Number of Areas

X

Process ID

X

Router ID

X

State of OSPF Interface

X

X X X

X

Total Cost of Route

X

Lab - Configuring Multiarea OSPFv2 (SN 6.2.3.8/RP 8.2.3.8) Lab - Configuring Multiarea OSPFv3 (SN 6.2.3.9/RP 8.2.3.9) Lab - Troubleshooting Multiarea OSPFv2 and OSPFv3 (SN 6.2.3.10/RP 8.2.3.10) Packet Tracer Activity

Packet Tracer - Configuring Multiarea OSPFv2 (SN 6.2.3.6/RP 8.2.3.6) Packet Tracer - Configuring Multiarea OSPFv3 (SN 6.2.3.7/RP 8.2.3.7)

instructor.indb 86

3/12/14 7:51 AM

CHAPTER 7

EIGRP

The main purpose in Cisco’s development of Enhanced Interior Gateway Routing Protocol (EIGRP) was to create a classless version of IGRP. EIGRP includes several features that are not commonly found in other distance vector routing protocols such as RIP (RIPv1 and RIPv2) and IGRP. Although EIGRP may act like a link-state routing protocol, it is still a distance vector routing protocol.

instructor.indb 87

3/12/14 7:51 AM

88


Characteristics of EIGRP EIGRP is considered an advanced distance vector routing protocol because it has characteristics not found in other distance vector protocols like RIP and IGRP.

Describe Basic EIGRP Features A major difference between EIGRP and other distance vector protocols is the algorithm it uses to calculate the best rate. Name and briefly describe this algorithm. The Diffusing Update Algorithm (DUAL) guarantees a loop-free route and provides backup paths throughout the routing domain. These backup routes are maintain in a topology table and can be immediately installed in the routing table if the primary route fails. What protocol, unique to EIGRP, provides for the delivery of EIGRP packets to neighbors? Reliable Transport Protocol (RTP) What is meant by the statement, “EIGRP provides partial and bounded updates”? EIGRP doesn’t send periodic updates (like RIP or IGRP). Instead, EIGRP sends out a partial update if there is a change in a route or routes. Bounded means that the partial update is only sent to those routers that need it. Protocol-dependent modules (PDMs) allow EIGRP to route several different network layer protocols. List at least four functions of EIGRP’s PDMs. ■

Maintaining the neighbor and topology tables of EIGRP routers that belong to that protocol suite

■

Building and translating protocol-specific packets for DUAL

■

Interfacing DUAL to the protocol-specific routing table

■

Computing the metric and passing this information to DUAL

■

Implementing filtering and access lists

■

Performing redistribution functions to and from other routing protocols

■

Redistributing routes that are learned by other routing protocols

What are the IPv4 and IPv6 multicast addresses used by EIGRP’s RTP? IPv4 uses 224.0.0.10 and IPv6 uses FF02::A.

Identify and Describe EIGRP Packet Types Like the Open Shortest Path First (OSPF) Protocol, EIGRP relies on different types of packets to maintain its tables and establish relationships with neighbor routers. In Table 7-1, provide a brief description for each EIGRP packet type.

instructor.indb 88

3/12/14 7:51 AM

Chapter 7: EIGRP

Table 7-1

89

EIGRP Packet Types

Packet Type

Description

Hello

Used to discover other EIGRP routers in the network

Acknowledgment

Used to acknowledge the receipt of any EIGRP packet

Update

Used to convey routing information to known destinations

Query

Used to request specific information from a neighbor router

Reply

Used to respond to a query

Complete the missing elements in this exercise by filling in appropriate words or phrases. When encountered, circle whether the packet is reliable or unreliable and whether it is unicast or multicast. Hello packets: ■

(Reliable/unreliable) (unicast/multicast) sent to the address, 224.0.0.10, to discover and maintain neighbors; contains the router’s neighbor table

■

Default Hello interval depends on the bandwidth: ■

≤ 1.544 Mbps = 60 sec. Hello interval (180 holdtime)

■

> 1.544 Mbps = 5 sec. Hello interval (15 holdtime)

Update packets. Sent (reliably/unreliably), there are two types: ■

(Unicast/multicast) to new neighbor discovered; contains routing information

■

(Unicast/multicast) to all neighbors when topology changes

Query packets. Queries are (unicast/multicast) (reliably/unreliably) during route recomputation, asking neighbors for a new successor to a lost route. Reply packets. Neighbors (unicast/multicast) a reply to a query whether they have a route. Acknowledgment packets. “Dataless” (unicast/multicast) packet that acknowledges the receipt of a packet that was sent reliably. This type is actually a Hello packet with a nonzero value in the Acknowledgment field. An EIGRP router assumes that as long as it is receiving Hello packets from a neighbor, the neighbor and its routes remain viable. Holdtime tells the router the maximum time the router should wait to receive the next Hello before declaring that neighbor as unreachable. By default, this waiting period is three times the Hello interval, or 15 seconds on most networks and 180 seconds on networks with speeds of T1 or slower. If the time expires, EIGRP will declare the route as down, and DUAL will search for a new path by sending out queries.

Identify Elements of the EIGRP Message Formats Figure 7-1 shows an example of an encapsulated EIGRP message. Fill in the missing field contents.

instructor.indb 89

3/12/14 7:51 AM

90


Figure 7-1

Encapsulated EIGRP Message

Data Link Frame Header

IP Packet Header

EIGRP Packet Header

Type/Length/Values Types

Data Link Frame MAC Source Address = Address of Sending Interface MAC Destination Address = Multicast: 01-00-5E-00-00-0A IP Packet IP Source Address = Address of Sending Interface IP Destination Address = Multicast: Protocol Field = for EIGRP EIGRP Packet Header Opcode for EIGRP Packet Type TLV Types Some Types Include: 0x0001 0x0102 0x0103

Figure 7-1a

Encapsulated EIGRP Message (answer)

Data Link Frame Header

IP Packet Header

EIGRP Packet Header


Data Link Frame MAC Source Address = Address of Sending Interface MAC Destination Address = Multicast: 01-00-5E-00-00-0A IP Packet IP Source Address = Address of Sending Interface IP Destination Address = Multicast: 224.0.0.10 Protocol Field = 88 for EIGRP EIGRP Packet Header Opcode for EIGRP Packet Type AS Number TLV Types Some Types Include: 0x0001 EIGRP Parameters 0x0102 IP Internal Routes 0x0103 IP External Routes

The EIGRP packet header is included with every EIGRP packet, regardless of its type. In the IP packet header, the Protocol field is set to 88 to indicate EIGRP, and the destination address is set to the multicast 224.0.0.10. Every EIGRP message includes the header as shown in Figure 7-2. Fill in the missing field contents.

instructor.indb 90

3/12/14 7:51 AM

Chapter 7: EIGRP

Figure 7-2

91

EIGRP Packet Header Data Link Frame Header

Bit

0

IP Packet Header

EIGRP Packet Header

7 8

15 16


23 24 Checksum

Version

31

Flags EIGRP Header

Sequence Ack

EIGRP Message

Figure 7-2a

Numbers TLVs

EIGRP Packet Header (answer) Data Link Frame Header

Bit

0

IP Packet Header

EIGRP Packet Header

7 8

15 16

23 24 Checksum

Opcode

Version


31

Flags EIGRP Header

Sequence Ack Autonomous System

EIGRP Message

Numbers TLVs

Important fields for our discussion include the Opcode field and the Autonomous System (AS) field. Opcode specifies the EIGRP packet type, one of the following: ■

Update

■

Query

■

Reply

■

Hello

The number in the AS field is used to track multiple instances of EIGRP. Encapsulated in the EIGRP packet header is the TLV (Type/Length/Values) shown in Figure 7-3. Fill in the missing field contents. Figure 7-3

EIGRP Parameters TLV

Data Link Frame Header Bit

Values

instructor.indb 91

0

IP Packet Header

7 8 Type = 0x0001

EIGRP Packet Header 15 16

Type/Length/Values Types: EIGRP Parameters TLV 23 24 Length

31

Reserved

3/12/14 7:51 AM

92


Figure 7-3a

EIGRP Parameters TLV (answer) Data Link Frame Header

Bit

0

Values

IP Packet Header

7 8 Type = 0x0001


K1

K2

K5

Reserved

Type/Length/Values Types: EIGRP Parameters TLV 23 24 Length

K3

31 K4

Hold Time

This EIGRP parameters message includes the weights that EIGRP uses for its composite metric. By default, only bandwidth and delay are weighted. Both are equally weighted; therefore, the K1 field for bandwidth and the K3 field for delay are both set to 1. The other K values are set to 0. The holdtime is the amount of time the EIGRP neighbor receiving this message should wait before considering the advertising router to be down. Figure 7-4 shows the IP Internal message that is used to advertise EIGRP routes within an autonomous system. Fill in the missing field contents. Figure 7-4

IP Internal Routes TLV Data Link Frame Header

Bit

0

IP Packet Header

7 8 Type = 0x0102


Type/Length/Values Types: IP Internal Routes TLV 23 24 Length

31

Next Hop

Values

MTU Reliability

Figure 7-4a

Reserved

IP Internal Routes TLV (answer) Data Link Frame Header

Bit

Hope Count

Load

0

IP Packet Header

7 8 Type = 0x0102


Type/Length/Values Types: IP Internal Routes TLV 23 24 Length

31

Next Hop Delay Bandwidth

Values

MTU Reliability Prefix Length

instructor.indb 92

Load

Hope Count Reserved Destination

3/12/14 7:51 AM

Chapter 7: EIGRP

93

Important fields include the metric fields (Delay and Bandwidth), the subnet mask field (Prefix Length), and the Destination field. Explain how the delay value is calculated? Delay is calculated as the sum of delays from source to destination in units of 10 microseconds. Explain how the bandwidth value is determined? Bandwidth is the lowest configured bandwidth of any interface along the route. The subnet mask is specified as the prefix length or the number of network bits in the subnet mask. For example, the subnet mask 255.255.255.0 has a prefix length of 24. Figure 7-5 shows the IP External message that is used when external routes are imported into the EIGRP routing process. Notice that the bottom half of the IP External TLV includes all the fields used by the IP Internal TLV. Fill in the missing field contents. Figure 7-5

IP External Routes TLV Data Link Frame Header

Bit

0

IP Packet Header

EIGRP Packet Header

7 8 Type = 0x0103

Type/Length/Values Types: IP External Routes TLV

15 16

23 24 Length

31 Value fields used to track external source of route.

Originating Routers Originating Autonomous System Number Arbitrary Tag Values

Reserved

Ext. Protocol ID

MTU Reliability

Figure 7-5a

0

Hope Count

Load

Reserved

IP Packet Header

EIGRP Packet Header

7 8 Type = 0x0103

15 16

Type/Length/Values Types: IP External Routes TLV 23 24 Length

31

Next Hop Originating Routers Originating Autonomous System Number Arbitrary Tag External Protocol Metric Values

Reserved

Ext. Protocol ID

Flags

Delay Bandwidth MTU Reliability Prefix Length

instructor.indb 93

Same value fields used in the IP Internal TLV.

IP External Routes TLV (answer)

Data Link Frame Header Bit

Flags

Load

Hope Count Reserved Destination

Value fields used to track external source of route. Same value fields used in the IP Internal TLV.

3/12/14 7:51 AM

94


Configuring EIGRP for IPv4 Implementing EIGRP for IPv4 is with basic configurations is straightforward. Tweaking EIGRP with more advanced settings is the topic of the next chapter.

Configuring EIGRP with IPv4 Briefly explain the purpose of the autonomous system number in EIGRP configurations. The autonomous system number functions as a process ID to help routers keep track of multiple running instances of EIGRP. It has nothing to do with the autonomous system number assigned by IANA and RIRs to ISPs for their BGP routing configurations What are the steps a Cisco router uses to choose its router ID? 1. Use the IPv4 address configured with the eigrp router-id command. 2. If the router ID is not configured, use the highest IPv4 address loopback interfaces. 3. If no loopbacks are configured, use the highest active IPv4 address of physical interfaces. What are the two main reasons for using the passive-interface command? 1. To stop unnecessary traffic from being sent out an interface where there are no other EIGRP routers. 2. To provide security to the EIGRP routing process by preventing a rogue device from injecting false or less than optimal routing information. We will use the topology in Figure 7-6 and the addressing in Table 7-2 to configure a dualstack network running EIGRP for IPv4 and IPv6. Figure 7-6

Dual-Stacked Multiarea EIGRP Topology 10.10.0.0/22 2001:DB8:1:1::/64

10.10.4.0/22 2001:DB8:1:2::/64

209.165.201.0/30 2001:DB8:F:F::/64

G0/1 G0/0 S0/0/0

10.10.8.0/23 2001:DB8:1:3::/64

Lo0 HQ

S0/0/1

172.16.1.248/30 2001:DB8:F:1::/64

172.16.1.252/30 2001:DB8:F:2::/64 768 kbps

S0/0/0

instructor.indb 94

B1 G0/1

S0/0/1

128 kbps S0/0/1

10.10.12.0/24 2001:DB8:1:5::/64

512 kbps

G0/0 10.10.10.0/23 2001:DB8:1:4::/64

Internet

S0/0/0 172.16.1.244/30 2001:DB8:F::/64

B3

G0/0 G0/1

10.10.13.0/24 2001:DB8:1:6::/64

3/12/14 7:51 AM

Chapter 7: EIGRP

Table 7-2

95

Addressing for the Dual-Stacked EIGRP Topology

Device

Interface


HQ

G0/0

10.10.0.1

255.255.252.0

2001:DB8:1:1::1/64 G0/1

10.10.4.1

255.255.252.0

2001:DB8:1:2::1/64 S0/0/0

172.16.1.249

255.255.255.252

2001:DB8:F:1::1/64 S0/0/1

172.16.1.253

255.255.255.252

2001:DB8:F:2::1/64 Lo0

209.165.201.1

255.255.255.252

2001:DB8:F:F::1/64 Link-Local B1

FE80::2

Router ID

2.2.2.2

G0/0

10.10.8.1

255.255.254.0

2001:DB8:1:3::1/64 G0/1

10.10.10.1

255.255.254.0

2001:DB8:1:4::1/64 S0/0/0

172.16.1.250

255.255.255.252

2001:DB8:F:1::2/64 S0/0/1

172.16.1.245

255.255.255.252

2001:DB8:F::1/64

B3

Link-Local

FE80::1

Router ID

1.1.1.1

G0/0

10.10.12.1

255.255.255.0

2001:DB8:1:5::1/64 G0/1

10.10.13.1

255.255.255.0

2001:DB8:1:6::1/64 S0/0/0

172.16.1.246

255.255.255.252

2001:DB8:F::2/64 S0/0/1

172.16.1.254

255.255.255.252

2001:DB8:F:2::2/64 Link-Local

FE80::3

Router ID

3.3.3.3

Document the most basic routing commands you could use to configure EIGRP for IPv4. Include the commands to configure the LAN interfaces as passive. The commands for all three routers are the same, except for the router ID configuration for each router. !B1!!!!!!!!!!! router eigrp 1 eigrp router-id 1.1.1.1 network 10.0.0.0

instructor.indb 95

3/12/14 7:51 AM

96


network 172.16.0.0 passive-interface g0/0 passive-interface g0/1 !HQ!!!!!!!!!!! router eigrp 1 eigrp router-id 2.2.2.2 network 10.0.0.0 network 172.16.0.0 passive-interface g0/0 passive-interface g0/1 !B3!!!!!!!!!!! router eigrp 1 eigrp router-id 3.3.3.3 network 10.0.0.0 network 172.16.0.0 passive-interface g0/0 passive-interface g0/1

Now, for each router, document the network commands you would configure if the policy stated that you must also configure the wildcard mask for each interface participating in the EIGRP routing domain. !B1!!!!!!!!!!! router eigrp 1 no network 10.0.0.0 no network 172.16.0.0 network 10.10.8.0 0.0.1.255 network 10.10.10.0 0.0.1.255 network 172.16.1.248 0.0.0.3 !HQ!!!!!!!!!!! router eigrp 1 no network 10.0.0.0 no network 172.16.0.0 network 10.10.0.0 0.0.3.255 network 10.10.4.0 0.0.3.255 network 172.16.1.248 0.0.0.3 network 172.16.1.252 0.0.0.3 !B3!!!!!!!!!!! router eigrp 1 no network 10.0.0.0 no network 172.16.0.0 network 10.10.12.0 0.0.0.255 network 10.10.13.0 0.0.0.255 network 172.16.1.252 0.0.0.3

instructor.indb 96

3/12/14 7:51 AM

Chapter 7: EIGRP

97

Verifying EIGRP with IPv4 Before any updates can be sent or received by EIGRP, routers must establish adjacencies with their neighbors. EIGRP routers establish adjacencies with neighbor routers by exchanging EIGRP Hello packets. Use the show ip eigrp neighbors command to view the neighbor table and verify that EIGRP has established an adjacency with its neighbors. This command enables you to verify and troubleshoot EIGRP. Example 7-1 shows the neighbor table for HQ. Example 7-1

EIGRP Neighbor Table for HQ

HQ# show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(1) H

Address

Interface

Hold Uptime

SRTT

(sec)

(ms)

RTO

Q

Seq

Cnt Num

1

172.16.1.254

Se0/0/1

14 00:28:35

2

100

0

33

0

172.16.1.250

Se0/0/0

10 00:28:48

1

100

0

36

As with OSPF, you can use the show ip protocols command shown in Example 7-2 to verify that EIGRP is enabled. Because this configuration was done on a router with IOS 15.1, automatic summarization is disabled by default. Example 7-2

Verifying EIGRP Is Enabled on HQ

HQ# show ip protocols *** IP Routing is NSF aware ***

Routing Protocol is "eigrp 1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP-IPv4 Protocol for AS(1) Metric weight K1=1, K2=0, K3=1, K4=0, K5=0 NSF-aware route hold timer is 240 Router-ID: 2.2.2.2 Topology : 0 (base) Active Timer: 3 min Distance: internal 90 external 170 Maximum path: 4 Maximum hopcount 100 Maximum metric variance 1

Automatic Summarization: disabled Maximum path: 4

instructor.indb 97

3/12/14 7:51 AM

98


Routing for Networks: 10.10.0.0/22 10.10.4.0/22 172.16.1.248/30 172.16.1.252/30 Passive Interface(s): GigabitEthernet0/0 GigabitEthernet0/1 Routing Information Sources: Gateway

Distance

Last Update

172.16.1.254

90

00:29:47

172.16.1.250

90

00:29:47

Distance: internal 90 external 170

Another way to verify that EIGRP and other functions of the router are configured properly is to examine the routing tables with the show ip route command. EIGRP routes are denoted in the routing table with a D, which stands for DUAL. Example 7-3 shows output from the routing table for B1 with only the EIGRP routes shown. Also, notice that the output begins at the “Gateway of last resort is not set” statement. What command generated this output? show ip route eigrp | begin Gateway Example 7-3

B1 Routing Table with EIGRP Routes

B1# show ip route eigrp | begin Gateway Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 8 subnets, 4 masks D

10.10.0.0/22 [90/2172416] via 172.16.1.249, 00:43:44, Serial0/0/0

D

10.10.4.0/22 [90/2172416] via 172.16.1.249, 00:43:44, Serial0/0/0

D

10.10.12.0/24 [90/2684416] via 172.16.1.249, 00:43:31, Serial0/0/0

D


D

172.16.1.252/30 [90/2681856] via 172.16.1.246, 00:00:05, Serial0/0/1

B1#

instructor.indb 98

3/12/14 7:51 AM

Chapter 7: EIGRP

99

Lab - Configuring Basic EIGRP with IPv4 (SN 7.2.2.5/RP 4.2.2.5) Packet Tracer Activity

Packet Tracer - Configuring Basic EIGRP with IPv4 (SN 7.2.2.4/RP 4.2.2.4)

Operation of EIGRP EIGRP uses the Diffusing Update Algorithm (DUAL) to select the best routes based on a composite metric. This section reviews the values of the EIGRP metric and how EIGRP performs the calculation to arrive at the metric displayed in the routing table.

EIGRP Metric Concepts List the values EIGRP uses in its composite metric to calculate the preferred path to a network: ■

Bandwidth

■

Delay

■

Reliability

■

Load

Record the formula used to calculate the default EIGRP composite metric. Default metric = [K1 * Bandwidth + K3 * Delay] * 256 What command can you use to change the default K values? Router(config-router)# metric weights tos k1 k2 k3 k4 k5

What command do you use to verify the K values used by EIGRP? show ip protocols What command enables you to verify the actual values of the EIGRP metric? show interface The bandwidth metric is displayed in Kbit (kilobits). The WIC-2T and HWIC-2T use the default value of 1,544,000 bps, which is the value for a T1 connection. The value may or may not reflect the actual physical bandwidth of the interface. If actual bandwidth of the link differs from the default value, you should modify the value. We will review modifying the bandwidth calculation to reflect actual values in the next chapter. Delay is a measure of the time it takes for a packet to traverse a route. This metric is a static value and is expressed in microseconds. Complete Table 7-3. Table 7-3

instructor.indb 99

Interface Delay Values

Media

Delay

Ethernet

1000

Fast Ethernet

100

Gigabit Ethernet

10

FDDI

100

T1 (serial default)

20,000

3/12/14 7:51 AM

100


Media

Delay

DS0 (64 Kbps)

20,000

1024 Kbps

20,000

56 Kbps

20,000

Reliability is based on the worst value on a particular link and is computed based on keepalives. Load is based on the worst value on a particular link and is computed based on packet rates. However, because the EIGRP composite metric defaults to bandwidth and delay only, reliability and load are not normally considered in the calculation of metric.

DUAL Concepts Exercise Dual provides the following: ■

Loop-free paths

■

Loop-free backup paths which can be used immediately

■

Fast convergence

■

Minimum bandwidth usage with bounded updates

Briefly explain the term successor. A successor is a neighboring router that is used for packet forwarding and is the least-cost route to the destination network. Briefly explain what is meant by feasible distance. Feasible distance (FD) is the lowest calculated metric to reach the destination network. Examine the following output for B1’s routing table shown in Example 7-4. Example 7-4

Feasible Distance and Successors in the B1 Routing Table



10.10.0.0/22 [90/2172416] via 172.16.1.249, 03:06:49, Serial0/0/0

D

10.10.4.0/22 [90/2172416] via 172.16.1.249, 03:06:49, Serial0/0/0

D

10.10.12.0/24 [90/2684416] via 172.16.1.249, 03:06:49, Serial0/0/0

D


D

instructor.indb 100

172.16.1.252/30 [90/2681856] via 172.16.1.249, 03:06:50, Serial0/0/0

3/12/14 7:51 AM

Chapter 7: EIGRP

101

Answer the questions that follow: What is the IP address of the successor for network 10.10.4.0/22? 172.16.1.249, which is HQ What is the feasible distance to 10.10.4.0/22? 2172416 What is the IP address of the successor for network 10.10.12.0/24? 172.16.1.249, which is HQ What is the feasible distance to 10.10.12.0/24? 2684416 Briefly explain the term feasible successor. A backup path to other routers maintained in a separate table so that DUAL does not have to be recomputed when the successor becomes unavailable. A feasible successor satisfies the feasibility condition Briefly explain feasibility condition. The feasibility condition (FC) is met when a neighbor’s reported distance (RD) to a network is less than the local router’s feasible distance to the same destination network. Briefly explain reported distance. The reported distance or advertised distance is simply an EIGRP neighbor’s feasible distance to the same destination network. The reported distance is the metric that a router reports to a neighbor about its own cost to that network. The successor, feasible distance, and any feasible successors with their reported distances are kept by a router in its EIGRP topology table or topology database. This table can be viewed using the show ip eigrp topology command, as shown in Example 7-5. Example 7-5

Successors and Feasible Successors in the B1 Topology Table

B1# show ip eigrp topology EIGRP-IPv4 Topology Table for AS(1)/ID(1.1.1.1) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status

P 10.10.8.0/23, 1 successors, FD is 28160 via Connected, GigabitEthernet0/0 P 172.16.1.248/30, 1 successors, FD is 2169856 via Connected, Serial0/0/0 P 172.16.1.244/30, 1 successors, FD is 3845120 via Connected, Serial0/0/1 P 10.10.12.0/24, 1 successors, FD is 2684416 via 172.16.1.249 (2684416/2172416), Serial0/0/0 via 172.16.1.246 (3847680/28160), Serial0/0/1 P 10.10.4.0/22, 1 successors, FD is 2172416 via 172.16.1.249 (2172416/28160), Serial0/0/0 P 172.16.1.252/30, 1 successors, FD is 2681856 via 172.16.1.249 (2681856/2169856), Serial0/0/0 via 172.16.1.246 (4357120/2169856), Serial0/0/1

instructor.indb 101

3/12/14 7:51 AM

102


P 10.10.0.0/22, 1 successors, FD is 2172416 via 172.16.1.249 (2172416/28160), Serial0/0/0 P 10.10.13.0/24, 1 successors, FD is 2684416 via 172.16.1.249 (2684416/2172416), Serial0/0/0 via 172.16.1.246 (3847680/28160), Serial0/0/1 P 10.10.10.0/23, 1 successors, FD is 28160 via Connected, GigabitEthernet0/1

The topology table lists all successors and feasible successors that DUAL has calculated to destination networks. Use the partial output in Example 9-5 to answer the following questions: For route 10.10.12.0/24... What is the IP address of the successor? 172.16.1.249 What is the reported distance of the successor? 2172416 What is the feasible distance of the successor? 2684416 What is the IP address of the feasible successor? 172.16.1.246 What is the reported distance of the feasible successor? 28160 What is the feasible distance of the feasible successor? 3847680 Notice that the reported distance of the feasible successor is less than the feasible distance of the successor. What happens if an EIGRP router doesn’t have feasible successor in the topology table and the router loses connection to the successor? Then DUAL must be recomputed and neighbors queried for a possible backup route.

DUAL FSM Completion Exercise A finite state machine (FSM) is an abstract machine, not a mechanical device with moving parts. FSMs define a set of possible states that something can go through, what events cause those states, and what events result from those states. Designers use FSMs to describe how a device, computer program, or routing algorithm will react to a set of input events. Figure 7-7 is a simplified flowchart of DUAL’s FSM. Fill in the flowchart with the states EIGRP moves through when it loses connectivity with a successor. The flowchart should serve as a visual study aid to help you remember how DUAL converges on new routes.

instructor.indb 102

3/12/14 7:51 AM

Chapter 7: EIGRP

Figure 7-7

103

DUAL FSM Flowchart

Lost Connectivity to Successor

Yes

No

Yes

No

instructor.indb 103

3/12/14 7:51 AM

104


Figure 7-7

DUAL FSM Flowchart (answer)

Lost Connectivity to Successor

Promote to Successor

Yes

Feasible Successor?

Yes

One or More New Routes?

No

Place Destination Network in Active State

Install Successor in Routing Table

Select New Successor

Query Neighbors for New Route

No

Install Feasible Successor(s), if any, in Topology Table

Remove Destination Network from Topology and Routing Tables

7.3.4.4 Packet Tracer - Investigating DUAL FSM

Configuring EIGRP for IPv6 EIGRP for IPv4 and EIGRP for IPv6 are almost identical in their operation. Configuring EIGRP for IPv6 is actually easier than IPv4. No need to configure network statements. Simply enable EIGRP for IPv6 globally, assigning a router ID. Then enable EIGRP on each interface you want to participate in the EIGRP routing process.

Comparing EIGRP for IPv4 and EIGRP for IPv6 In Table 7-4, indicate whether an EIGRP feature is associated with EIGRP for IPv4, EIGRP for IPv6, or both.

instructor.indb 104

3/12/14 7:51 AM

Chapter 7: EIGRP

Table 7-4

105

Comparing EIGRP for IPv4 and IPv6

Features

EIGRP for IPv4

Advertised IPv4 networks

EIGRP for IPv6

Both

X

Advertised IPv6 networks

X

Distance vector

X

DUAL algorithm

X

Default metric: bandwidth and delay

X

Transport protocol: RTP

X

Incremental, partial, and bounded updates

X

Neighbor discovery: Hello packets

X

224.0.0.10 multicast

X

FF02::10 multicast

X

Configuring and Verifying EIGRP for IPv6 The steps to configure EIGRP for IPv6 are as follows: Step 1.

Enable IPv6 routing.

Step 2.

Enable EIGRP for IPv6 globally and configure the router ID.

Step 3.

Enable the interfaces that are to participate in EIGRP for IPv6.

With those steps in mind, document the configurations for each router shown in Figure 7-6. Instructor Note: Although not required of the student, the IPv6 interface addressing is also including in the following scripts. !HQ!!!!!!!!!!! en conf t ipv6 unicast-routing ipv6 router eigrp 1 eigrp router-id 2.2.2.2 no shutdown interface g0/0 ipv6 address 2001:db8:1:1::1/64 ipv6 address fe80::2 link-local ipv6 eigrp 1 no shutdown interface g0/1 ipv6 address 2001:db8:1:2::1/64 ipv6 address fe80::2 link-local ipv6 eigrp 1 no shutdown interface s0/0/0 ipv6 address 2001:db8:f:1::1/64 ipv6 address fe80::2 link-local

instructor.indb 105

3/12/14 7:51 AM

106


ipv6 eigrp 1 no shutdown interface s0/0/1 ipv6 address 2001:db8:f:2::1/64 ipv6 address fe80::2 link-local ipv6 eigrp 1 no shutdown int lo0 ipv6 address 2001:db8:f:f::1/64 end !B1!!!!!!!!!!! en conf t ipv6 unicast-routing ipv6 router eigrp 1 eigrp router-id 1.1.1.1 no shutdown interface g0/0 ipv6 address 2001:db8:1:3::1/64 ipv6 address fe80::1 link-local ipv6 eigrp 1 no shutdown interface g0/1 ipv6 address 2001:db8:1:4::1/64 ipv6 address fe80::1 link-local ipv6 eigrp 1 no shutdown interface s0/0/0 ipv6 address 2001:db8:f:1::2/64 ipv6 address fe80::1 link-local ipv6 eigrp 1 no shutdown interface s0/0/1 ipv6 address 2001:db8:f::1/64 ipv6 address fe80::1 link-local ipv6 eigrp 1 no shutdown end !B3!!!!!!!!!!! en conf t ipv6 unicast-routing ipv6 router eigrp 1 eigrp router-id 3.3.3.3

instructor.indb 106

3/12/14 7:51 AM

Chapter 7: EIGRP

107

no shutdown interface g0/0 ipv6 address 2001:db8:1:5::1/64 ipv6 address fe80::3 link-local ipv6 eigrp 1 no shutdown interface g0/1 ipv6 address 2001:db8:1:6::1/64 ipv6 address fe80::3 link-local ipv6 eigrp 1 no shutdown interface s0/0/0 ipv6 address 2001:db8:f::2/64 ipv6 address fe80::3 link-local ipv6 eigrp 1 no shutdown interface s0/0/1 ipv6 address 2001:db8:f:2::2/64 ipv6 address fe80::3 link-local ipv6 eigrp 1 no shutdown end

What command enables you to verify adjacency with other EIGRP routers? B1# show ipv6 eigrp neighbors EIGRP-IPv6 Neighbors for AS(1) H

Address

Interface

Hold Uptime

SRTT

(sec)

(ms)

RTO

Q

Seq

1

Link-local address:

Se0/0/1

11 00:14:52

1

186

0

50

Se0/0/0

12 00:14:53

1

100

0

25

Cnt Num

FE80::3 0

Link-local address: FE80::2

What command enables you to display the EIGRP parameters, including the K values, router ID, process ID, and administrative distances? B1# show ipv6 protocols IPv6 Routing Protocol is "connected" IPv6 Routing Protocol is "eigrp 1" EIGRP-IPv6 Protocol for AS(1) Metric weight K1=1, K2=0, K3=1, K4=0, K5=0 NSF-aware route hold timer is 240 Router-ID: 1.1.1.1 Topology : 0 (base) Active Timer: 3 min

instructor.indb 107

3/12/14 7:51 AM

108


Distance: internal 90 external 170 Maximum path: 16 Maximum hopcount 100 Maximum metric variance 1

Interfaces: Serial0/0/0 Serial0/0/1 GigabitEthernet0/0 GigabitEthernet0/1 Redistribution: None IPv6 Routing Protocol is "ND"

What command enables you to verify the EIGRP routes are installed in the routing table? B1# show ipv6 route eigrp IPv6 Routing Table - default - 14 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, R - RIP, H - NHRP, I1 - ISIS L1 I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP EX - EIGRP external, ND - ND Default, NDp - ND Prefix, DCE - Destination NDr - Redirect, O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1 OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 D

2001:DB8:1:1::/64 [90/2172416]

D

2001:DB8:1:2::/64 [90/2172416]


via FE80::2, Serial0/0/0 D

2001:DB8:1:5::/64 [90/2684416]

D

2001:DB8:1:6::/64 [90/2684416]



2001:DB8:F:2::/64 [90/2681856] via FE80::2, Serial0/0/0

Lab - Configuring Basic EIGRP for IPv6 (SN 7.4.3.5/RP 4.4.3.5) Packet Tracer Activity

instructor.indb 108

Packet Tracer - Configuring Basic EIGRP with IPv6 (SN 7.4.3.4/RP 4.4.3.5)

3/12/14 7:51 AM

CHAPTER 8

EIGRP Advanced Configurations and Troubleshooting This chapter reviews the various ways you can adjust your Enhanced Interior Gateway Routing Protocol (EIGRP) implementation to provide additional capabilities and functionality. In addition, troubleshooting EIGRP is also covered.

instructor.indb 109

3/12/14 7:51 AM

110


Advanced EIGRP Configurations Now that you are familiar with the basic configuration and verification commands for implementing EIGRP, this section focuses on ways you can tweak the implementation to improve performance, enable load balancing, and authenticate updates between EIGRP neighbors.

Automatic Summarization Before Cisco IOS 15.01(1)M and 12.2(33), automatic summarization in EIGRP was enabled by default. Briefly explain the concept of automatic summarization. Automatic summarization occurs at classful boundaries. So an EIGRP router with several subnets of a Class A, B, or C network will only advertise that network. Assume an EIGRP router is using automatic summarization. In Table 8-1, record the classful address advertised by the router for each listing of subnets. Table 8-1

Determine the Classful Networks Advertised by an EIGRP Router

Subnets

Classful Networks

10.10.10.0/24, 10.10.11.0/24, 10.10.12.0/24

10.0.0.0/8

172.16.16.0/22, 172.16.18.0/22

172.16.0.0/16

192.168.1.0/25, 192.168.1.128/25, 192.168.2.0/25, 192.168.2.128/25

192.168.1.0/24, 192.168.2.0/24

EIGRP automatic summarization should be used only if you are absolutely sure that you do not have any discontiguous subnets. For example, in Figure 8-1, the addressing scheme is discontiguous. Figure 8-1

EIGRP Automatic Summarization Topology with Discontiguous Subnets 10.10.0.0/22 HQ

172.16.1.248/30

172.16.1.252/30

10.10.8.0/23

10.10.12.0/24 B1

B3

If you enable automatic summarization on the routers, they will not advertise the specific subnets that belong to 10.0.0.0/8 across the 172.16.0.0 WAN links. Instead, they automatically summarize the subnets to 10.0.0.0/8 and advertise the classful network. But each router already has a link in the 10.0.0.0/8 address space, so the update from the neighbor is stored in the topology table. No routes to the subnets are installed. Automatic summarization is disabled by default in IOS 15 and later. What command including the router prompt will enable automatic summarization? Router(config-router)# auto-summary

instructor.indb 110

3/12/14 7:51 AM

Chapter 8: EIGRP Advanced Configurations and Troubleshooting

111

You can verify whether automatic summarization is enabled with the show ip protocols command displayed in Example 8-1 for HQ from Figure 8-1. Example 8-1

Verifying Automatic Summarization Is in Effect


Routing Protocol is "eigrp 1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP-IPv4 Protocol for AS(1) Metric weight K1=1, K2=0, K3=1, K4=0, K5=0 NSF-aware route hold timer is 240 Router-ID: 2.2.2.2 Topology : 0 (base) Active Timer: 3 min Distance: internal 90 external 170 Maximum path: 4 Maximum hopcount 100 Maximum metric variance 1

Automatic Summarization: enabled 172.16.0.0/16 for Gi0/0 Summarizing 2 components with metric 2169856 10.0.0.0/8 for Se0/0/0, Se0/0/1 Summarizing 1 component with metric 28160 Maximum path: 4 Routing for Networks: 10.0.0.0 172.16.0.0 Routing Information Sources: Gateway

Distance

Last Update

172.16.1.254

90

00:01:30

172.16.1.250

90

00:01:30

Distance: internal 90 external 170

To view the entire EIGRP topology table for HQ, use the show ip eigrp topology all-links command to generate the output displayed in Example 8-2.

instructor.indb 111

3/12/14 7:51 AM

112


Example 8-2

Viewing the Complete EIGRP Topology Table

HQ# show ip eigrp topology all-links EIGRP-IPv4 Topology Table for AS(1)/ID(2.2.2.2) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status

P 172.16.1.248/30, 1 successors, FD is 2169856, serno 2 via Connected, Serial0/0/0 P 172.16.0.0/16, 1 successors, FD is 2169856, serno 4 via Summary (2169856/0), Null0 P 10.0.0.0/8, 1 successors, FD is 28160, serno 3 via Summary (28160/0), Null0 via 172.16.1.250 (2172416/28160), Serial0/0/0 via 172.16.1.254 (2172416/28160), Serial0/0/1 P 172.16.1.252/30, 1 successors, FD is 2169856, serno 8 via Connected, Serial0/0/1 P 10.10.0.0/22, 1 successors, FD is 28160, serno 1 via Connected, GigabitEthernet0/0

You can see that HQ has a route for 10.0.0.0/8 from both B1 and B3 in its topology table. However, it also has its own summary route with a better metric. This is the route installed and used by HQ, as verified with the show ip route eigrp command displayed in Example 8-3. Example 8-3

Verifying the Summary Route Installed on HQ

HQ# show ip route eigrp | begin Gateway Gateway of last resort is not set


10.0.0.0/8 is a summary, 00:08:42, Null0 172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks

D

172.16.0.0/16 is a summary, 00:09:01, Null0

Briefly explain the purpose of the Null0 interface. The Null0 interface is installed in the routing table to prevent routing loops.

Manual Summarization In EIGRP design scenarios where it is not desirable to prevent discontiguous subnets, you may still want to encourage scalable designs so that you can take advantage of EIGRP’s manual summarization. This will help reduce the size of routing tables.

instructor.indb 112

3/12/14 7:51 AM


113

IPv4 Manual Summarization Figure 8-2 shows the same EIGRP topology we used in Chapter 7, “EIGRP.” However, now the topology shows the contracted bandwidth rates on each of the serial interfaces. We will use that information later to tune how EIGRP chooses the best route. Note: The bandwidths shown in Figure 8-2 are not realistic for today’s network implementations that require gigabit speeds across WAN links. These bandwidths are used for simplicity. Figure 8-2

Dual-Stack EIGRP Topology with Bandwidths 10.10.0.0/22 2001:DB8:1:1::/64

10.10.4.0/22 2001:DB8:1:2::/64

209.165.201.0/30 2001:DB8:F:F::/64

G0/1 G0/0 S0/0/0

10.10.8.0/23 2001:DB8:1:3::/64

Lo0 HQ

S0/0/1

172.16.1.248/30 2001:DB8:F:1::/64

172.16.1.252/30 2001:DB8:F:2::/64 768 kbps

S0/0/0 B1 G0/1

S0/0/1

128 kbps S0/0/1

10.10.12.0/24 2001:DB8:1:5::/64

512 kbps

G0/0 10.10.10.0/23 2001:DB8:1:4::/64

Internet

S0/0/0 172.16.1.244/30 2001:DB8:F::/64

B3

G0/0 G0/1

10.10.13.0/24 2001:DB8:1:6::/64

To calculate the IPv4 summary routes, use the same technique you used to calculate a IPv4 static summary routes: Step 1.

Write out the networks to be summarized in binary.

Step 2.

To find the subnet mask for summarization, start with the far-left bit.

Step 3.

Working from left to right, find all the bits that match consecutively.

Step 4.

When there is a column of bits that do not match, stop. This is the summary boundary.

Step 5.

Count the number of far-left matching bits, which in this example is 22. This number is used to determine the subnet mask for the summarized route: /22 or 255.255.252.0.

Step 6.

To find the network address for summarization, copy the matching 22 bits and add all 0 bits to the end to make 32 bits.

Once you have your summary, configure the desired interfaces with the ip summary-address eigrp command. Each interface that will send out an EIGRP update should have the command. In Figure 8-2, each router can summarizes the two local LANs into one summary route. Calculate the summary routes for each route and record the commands to configure the serial interfaces.

instructor.indb 113

3/12/14 7:51 AM

114


HQ Summary Route: 10.10.0.0/21 Command to configure Serial 0/0/0 and Serial 0/0/1: ip summary-address eigrp 1 10.10.0.0 255.255.248.0

B1 Summary Route: 10.10.8.0/22 Command to configure Serial 0/0/0 and Serial 0/0/1: ip summary-address eigrp 1 10.10.8.0 255.255.252.0

B3 Summary Route: 10.10.12.0/23 Command to configure Serial 0/0/0 and Serial 0/0/1: ip summary-address eigrp 1 10.10.12.0 255.255.254.0

The following calculations focus on the third octet: HQ

B1

B3

00000000

00001000

00001100

LAN 2

00000100

00001010

00001101

Summary Route

10.10.0.0/21

10.10.8.0/22

10.10.12.0/23

If you are following along in a simulator or on lab equipment, your EIGRP routing tables should look like Example 8-4. Note: We have not yet configured the bandwidth values shown in Figure 8-2. Example 8-4

EIGRP Routing Tables with Manual Summarization in Effect

HQ# show ip route eigrp | begin Gateway Gateway of last resort is not set


10.10.0.0/21 is a summary, 00:06:50, Null0

D

10.10.8.0/22 [90/2172416] via 172.16.1.250, 00:01:43, Serial0/0/0

D


D



10.0.0.0/8 is variably subnetted, 7 subnets, 4 masks

instructor.indb 114

D

10.10.0.0/21 [90/2172416] via 172.16.1.249, 00:00:54, Serial0/0/0

D

10.10.8.0/22 is a summary, 00:06:21, Null0

3/12/14 7:51 AM


D

115


D




10.10.0.0/21 [90/2172416] via 172.16.1.253, 00:00:48, Serial0/0/1

D

10.10.8.0/22 [90/2172416] via 172.16.1.245, 00:00:48, Serial0/0/0

D


D


IPv6 Manual Summarization Briefly explain why IPv6 does not support automatic summarization. Automatic summarization is based on classful addressing, which does not exist in IPv6. You can manually configure IPv6 summary routes. However, the IPv6 addressing in Figure 8-2 was not designed for summary routes. If you summarized the IPv6 LANs on any of the routers, you would be including IPv6 LANs from one or both of the other routers. For example, the summary for the IPv6 LANs on B3 would be 2001:DB8:1:4::/62. The calculation focuses on the fourth hextet since it is the one that is changing: 0000 0000 0000 0100 --> included in summary (B1 LAN) 0000 0000 0000 0101 --> B3 LAN 0000 0000 0000 0110 --> B3 LAN 0000 0000 0000 0111 --> included in a B1 summary, if configured

You can see that this summary would include the B1 IPv6 LAN, 2001:DB8:1:4::/64. But it would also include additional address space summarized by B1 if B1 also configured an IPv6 manual summary route. In fact, a summary route on B1 would include all the IPv6 LANs in the topology. Prove this using the following workspace to calculate what the IPv6 summary route would be for B1. 0000 0000 0000 0000 0000 0000 0000 0001 --> HQ LAN 0000 0000 0000 0010 --> HQ LAN 0000 0000 0000 0011 --> B1 LAN 0000 0000 0000 0100 --> B1 LAN 0000 0000 0000 0101 --> B3 LAN 0000 0000 0000 0110 --> B3 LAN 0000 0000 0000 0111

instructor.indb 115

3/12/14 7:51 AM

116


What would be the summary route for B1? 2001:DB8:1::/61 Packet Tracer Activity

Packet Tracer - Configuring EIGRP Manual Summary Routes for IPv4 and IPv6 (SN 8.1.2.5/RP 5.1.2.5)

Default Route Propagation Propagating a default route in EIGRP requires one additional command in your EIGRP configuration. What is the command, including the router prompt, for both IPv4 and IPv6? IPv4: Router(config-router)# redistribute static

IPv6: Router(config-rtr)# redistribute static

Figure 8-2 is using a Loopback interface to simulate a connection to the Internet. Record the commands to configure an IPv4 default route, IPv6 default route, and redistribute the routes to B1 and B3. HQ(config)# ip route 0.0.0.0 0.0.0.0 Lo0 HQ(config)# ipv6 route ::/0 Lo0 HQ(config)# router eigrp 1 HQ(config-router)# redistribute static HQ(config-router)# ipv6 router eigrp 1 HQ(config-rtr)# redistribute static

If you are following along in a simulator or on lab equipment, your verification output for B1 and B3 should look like Example 8-5. Example 8-5

EIGRP Routing Tables with Default Route Propagation

B1# show ip route eigrp | begin Gateway Gateway of last resort is 172.16.1.249 to network 0.0.0.0

D*EX


D

10.10.0.0/21 [90/2172416] via 172.16.1.249, 06:04:19, Serial0/0/0

D

10.10.8.0/22 is a summary, 00:05:31, Null0

D


D


B1# show ipv6 route eigrp | begin EX EX

::/0

::/0 [170/2169856] via FE80::2, Serial0/0/0

D

2001:DB8:1:1::/64 [90/2172416] via FE80::2, Serial0/0/0

instructor.indb 116

3/12/14 7:51 AM


D

117

2001:DB8:1:2::/64 [90/2172416] via FE80::2, Serial0/0/0

D

2001:DB8:1:6::/64 [90/2172416] via FE80::3, Serial0/0/1

D

2001:DB8:F:2::/64 [90/2681856] via FE80::2, Serial0/0/0 via FE80::3, Serial0/0/1

B1# ping 209.165.201.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 209.165.201.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms B1# ping 2001:db8:f:f::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:F:F::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms B3# show ip route eigrp | begin Gateway Gateway of last resort is 172.16.1.253 to network 0.0.0.0

D*EX


D

10.10.0.0/21 [90/2172416] via 172.16.1.253, 06:04:52, Serial0/0/1

D

10.10.8.0/22 [90/2172416] via 172.16.1.245, 06:04:52, Serial0/0/0

D


D



::/0 [170/2169856]

D

2001:DB8:1:1::/64 [90/2172416]

::/0



2001:DB8:1:2::/64 [90/2172416]

D

2001:DB8:1:4::/64 [90/2172416]



2001:DB8:F:1::/64 [90/2681856] via FE80::1, Serial0/0/0 via FE80::2, Serial0/0/1

B3# ping 209.165.201.1 Type escape sequence to abort.

instructor.indb 117

3/12/14 7:51 AM

118


Sending 5, 100-byte ICMP Echos to 209.165.201.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms B3# ping 2001:db8:f:f::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:F:F::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

8.1.3.4 Packet Tracer - Propagating a Default Route in EIGRP for IPv4 and IPv6

Fine-Tuning EIGRP Interfaces Bandwidth Utilization By default, EIGRP will use only up to 50 percent of the bandwidth of an interface for EIGRP information. This prevents the EIGRP process from overutilizing a link and not allowing enough bandwidth for the routing of normal traffic. The ip bandwidth-percent eigrp command can be used to configure the percentage of bandwidth that may be used by EIGRP on an interface. Record the full syntax for this command. Router(config-if)# ip bandwidth-percent eigrp as-number percent

This command uses the amount of configured bandwidth (or the default bandwidth) when calculating the percent that EIGRP can use. Hello Intervals and Holdtimes Hello intervals and holdtimes are configurable on a per-interface basis and do not have to match with other EIGRP routers to establish adjacencies. Record the command to configure a different Hello interval. Router(config-if)# ip hello-interval eigrp as-number seconds

If you change the Hello interval, make sure that you also change the holdtime to a value equal to or greater than the Hello interval. Otherwise, neighbor adjacency will go down after the holdtime expires and before the next Hello interval. Record the command to configure a different holdtime. Router(config-if)# ip hold-time eigrp as-number seconds

EIGRP has different default Hello intervals and holdtimes based on the type of link. Complete Table 8-2 with the default values. Table 8-2

instructor.indb 118

Default Hello Intervals and Holdtimer for EIGRP

Bandwidth

Example Link

Default Hello Interval

Default Holdtime

1.544 Mbps

Multipoint Frame Relay

60 seconds

180 seconds

Greater Than 1.544 Mbps

T1, Ethernet

5 seconds

15 seconds

3/12/14 7:51 AM


119

Load Balancing Briefly describe equal-cost load balancing. Load balancing is the ability of a router to use all local interfaces that routes with the same metric to a destination address. By default, EIGRP uses up to four equal-cost paths to load balance traffic. You can see load balancing in effect in the routing tables shown in previous Examples 8-4 and 8-5. The reason EIGRP is load balancing is that we have not configured the actual bandwidth shown in Figure 8-2. Record the commands to configure the routers with the correct bandwidth values. HQ(config)# int s0/0/0 HQ(config-if)# bandwidth 768 HQ(config-if)# int s0/0/1 HQ(config-if)# bandwidth 512 B1(config)# int s0/0/0 B1(config-if)# bandwidth 768 B1(config-if)# int s0/0/1 B1(config-if)# bandwidth 128 B3(config)# int s0/0/0 B3(config-if)# bandwidth 128 B3(config-if)# int s0/0/1 B3(config-if)# bandwidth 512

Once the routers are properly configured with the actual bandwidth values, EIGRP recalculates the metrics and installs the best route in the routing table, as shown in Example 8-6. Notice that B1 and B3 are no longer using the 128-Kbps link to route to each other’s LANs. Instead, they are each using the faster path through HQ. Example 8-6

EIGRP Routing Tables After Bandwidth Configuration


D*EX


D

10.10.0.0/21 [90/3847680] via 172.16.1.249, 00:05:50, Serial0/0/0

D

10.10.8.0/22 is a summary, 00:05:21, Null0

D


D

172.16.1.252/30 [90/6023936] via 172.16.1.249, 00:05:31, Serial0/0/0


::/0

::/0 [170/3845120] via FE80::2, Serial0/0/0

D

2001:DB8:1:1::/64 [90/3847680] via FE80::2, Serial0/0/0

instructor.indb 119

3/12/14 7:51 AM

120


D

2001:DB8:1:2::/64 [90/3847680] via FE80::2, Serial0/0/0

D

2001:DB8:1:6::/64 [90/6026496] via FE80::2, Serial0/0/0

D

2001:DB8:F:2::/64 [90/6023936] via FE80::2, Serial0/0/0


D*EX


D

10.10.0.0/21 [90/5514496] via 172.16.1.253, 00:05:43, Serial0/0/1

D

10.10.8.0/22 [90/6026496] via 172.16.1.253, 00:05:43, Serial0/0/1

D


D

172.16.1.248/30 [90/6023936] via 172.16.1.253, 00:05:43, Serial0/0/1


::/0 [170/5511936]

D

2001:DB8:1:1::/64 [90/5514496]

::/0



2001:DB8:1:2::/64 [90/5514496]

D

2001:DB8:1:4::/64 [90/6026496]



2001:DB8:F:1::/64 [90/6023936] via FE80::2, Serial0/0/1

Securing EIGRP Routing Updates In most production networks, you would want to configure the EIGRP routers to authenticate updates received from neighbors. The steps to configure EIGRP with MD5 authentication are as follows: Step 1.

Create a keychain and key. Record the command syntax including the router prompt to configure a keychain and key. Router(config)# key chain name-of-chain Router(config-keychain)# key key-id Router(config-keychain-key)# key-string key-string-text

instructor.indb 120

3/12/14 7:51 AM


Step 2.

121

Configure EIGRP authentication to use the keychain and key. Record the command syntax, including the router prompt, to configure EIGRP authentication using the keychain and key. Router(config)# interface type number Router(config-if)# ip authentication mode eigrp as-num md5 Router(config-if)# ip authentication key-chain eigrp as-num name-of-chain

Now record the commands to configure HQ to authenticate updates from B1 and B3. Assume that B1 and B3 are already configured. Use MYKEY as the keychain name, 1 as the key ID, and cisco123 as the key string. HQ(config)# key chain MYKEY HQ(config-keychain)# key 1 HQ(config-keychain-key)# key-string cisco123 HQ(config-keychain-key)# int s0/0/0 HQ(config-if)# ip authentication mode eigrp 1 md5 HQ(config-if)# ip authentication key-chain eigrp 1 MYKEY HQ(config-if)# int s0/0/1 HQ(config-if)# ip authentication mode eigrp 1 md5 HQ(config-if)# ip authentication key-chain eigrp 1 MYKEY

Use the show ip eigrp neighbors command as displayed in Example 8-7 to verify that HQ has reestablished adjacency with B1 and B3. Example 8-7

Verifying EIGRP Authentication


Address

Interface

Hold Uptime

SRTT

(sec)

(ms)

RTO

Q

Seq

Cnt Num

1

172.16.1.250

Se0/0/0

10 00:06:25

2

192

0

59

0

172.16.1.254

Se0/0/1

13 00:07:09

3

288

0

59

Lab - Configuring Advanced EIGRP for IPv4 Features (SN 8.1.5.5/RP 5.1.5.5)

Troubleshoot EIGRP This section reviews the tools and procedures to troubleshoot EIGRP issues.

Commands for Troubleshooting EIGRP In Table 8-3, the IPv4 version of the troubleshooting commands for EIGRP are listed. The same commands are available for IPv6. Indicate which command or commands you would use to answer each of the questions.

instructor.indb 121

3/12/14 7:51 AM

122


Table 8-3

Diagnosing EIGRP Connectivity Issues

Command

Is the Neighbor Table Correct?

show ip eigrp neighbors

X

show ip interface brief

X

show ip eigrp interface

X

Is the Routing Table Correct?

show ip protocols

X

show ip route eigrp

X

Does Traffic Take the Desired Path?

X

Troubleshoot EIGRP Connectivity Issues Using the configuration for the devices in Figure 8-2 and the following command outputs diagnose the EIGRP connectivity issue and recommend a solution.

Connectivity Issue #1 HQ and B1 have not formed a neighbor adjacency. Use the output in Example 8-8 to troubleshoot the first issue. Example 8-8

Troubleshooting Command Output for Issue #1


Address

Interface

0

172.16.1.254

Se0/0/1

Hold Uptime

SRTT

(sec)

(ms)

10 00:23:18

1

RTO

Q

Seq

Cnt Num 288

0

65

HQ# show ip interface brief Interface

IP-Address

OK? Method Status

Protocol

Embedded-Service-Engine0/0 unassigned

YES unset

GigabitEthernet0/0

10.10.0.1

YES manual up

administratively down down up

GigabitEthernet0/1

10.10.4.1

YES manual up

up

Serial0/0/0

172.16.1.250

YES manual up

up

Serial0/0/1

172.16.1.253

YES manual up

up

Loopback0

209.165.201.1

YES manual up

up

B1# show ip eigrp neighbors EIGRP-IPv4 Neighbors for AS(1) H

1

Address

172.16.1.246

Interface

SRTT

(sec)

(ms)

Se0/0/1

Hold Uptime

12 00:26:47

9

RTO

Q

Seq

Cnt Num 1170

0

67

B1# show ip interface brief Interface

instructor.indb 122

IP-Address

OK? Method Status

Protocol

Embedded-Service-Engine0/0 unassigned

YES unset

administratively down down

GigabitEthernet0/0

10.10.8.1

YES manual up

up

GigabitEthernet0/1

10.10.10.1

YES manual up

up

Serial0/0/0

172.16.1.250

YES manual up

up

Serial0/0/1

172.16.1.245

YES manual up

up

3/12/14 7:51 AM


123

Problem and Solution: HQ and B1 are both using the same IP address on the 172.16.1.248/30 link. Change either one to use IP address 172.16.1.249 and the neighbor relationship will be restored.

Connectivity Issue #2 HQ and B3 have not formed a neighbor adjacency. Example 8-9 displays the output for the second issue. Example 8-9


HQ# show ipv6 eigrp neighbors EIGRP-IPv6 Neighbors for AS(1) H

Address

Interface

0

Link-local address:

Se0/0/0

Hold Uptime

SRTT

(sec)

(ms)

14 05:12:49

1

RTO

Q

Seq

Cnt Num 186

0

57

FE80::1 B3# show ipv6 eigrp neighbors EIGRP-IPv6 Neighbors for AS(2)

Problem and Solution: B3 does not have EIGPR neighbors because it is configured with a different AS number than HQ. Configure B3 to use AS number 1 for its IPv6 EIGRP configuration.

Connectivity Issue #3 Although the IPv6 routes look correct, B3 is using a less-than-optimal route to reach the B1 and HQ IPv4 LANs. Use the output in Example 8-10 to troubleshoot the third issue. Example 8-10



Routing Protocol is "eigrp 1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates Redistributing: static EIGRP-IPv4 Protocol for AS(1) Metric weight K1=1, K2=0, K3=1, K4=0, K5=0 NSF-aware route hold timer is 240 Router-ID: 2.2.2.2 Topology : 0 (base) Active Timer: 3 min

instructor.indb 123

3/12/14 7:51 AM

124


Distance: internal 90 external 170 Maximum path: 4 Maximum hopcount 100 Maximum metric variance 1

Automatic Summarization: disabled Address Summarization: 10.10.0.0/21 for Se0/0/0, Se0/0/1 Summarizing 2 components with metric 28160 Maximum path: 4 Routing for Networks: 10.0.0.0 172.16.0.0 Passive Interface(s): GigabitEthernet0/0 GigabitEthernet0/1 Serial0/0/1 Routing Information Sources: Gateway

Distance

Last Update

172.16.1.254

90

00:17:55

172.16.1.250

90

00:00:41

Distance: internal 90 external 170 B3# show ip route eigrp | begin Gateway Gateway of last resort is 172.16.1.245 to network 0.0.0.0

D*EX


D

10.10.0.0/21 [90/21026560] via 172.16.1.245, 00:08:32, Serial0/0/0

D

10.10.8.0/22 [90/20514560] via 172.16.1.245, 00:08:32, Serial0/0/0

D


D

172.16.1.248/30 [90/21024000] via 172.16.1.245, 00:08:32, Serial0/0/0


::/0

::/0 [170/5511936] via FE80::2, Serial0/0/1

D

2001:DB8:1:1::/64 [90/5514496] via FE80::2, Serial0/0/1

D

2001:DB8:1:2::/64 [90/5514496] via FE80::2, Serial0/0/1

D

2001:DB8:1:4::/64 [90/6026496] via FE80::2, Serial0/0/1

D

2001:DB8:F:1::/64 [90/6023936] via FE80::2, Serial0/0/1

instructor.indb 124

3/12/14 7:51 AM


125

Problem and Solution: The EIGRP configuration on HQ has the Serial 0/0/1 interface set to passive. Therefore, HQ and B3 have not established adjacency and HQ is not sending IPv4 routing updates to B3. Lab - Troubleshooting Basic EIGRP for IPv4 and IPv6 (SN 8.2.3.6/RP 5.2.3.6) Lab - Troubleshooting Advanced EIGRP (SN 8.2.3.7/RP 5.2.3.7) Packet Tracer Activity

instructor.indb 125

Packet Tracer - Troubleshooting EIGRP for IPv4 (SN 8.2.3.5/RP 5.2.3.5) Packet Tracer - Skills Integration Challenge (SN 8.3.1.2/RP 5.3.1.2)

3/12/14 7:51 AM

instructor.indb 126

3/12/14 7:51 AM

CHAPTER 9

IOS Images and Licensing

Network administrators are responsible for managing the routers and switches owned by the organization. This responsibility includes backing up and upgrading software images when needed. This chapter reviews basic IOS image concepts and management tasks.

instructor.indb 127

3/12/14 7:51 AM

128


Managing IOS System Files Cisco IOS software is a sophisticated operating system that includes multiple release versions that are organized into software release families and software trains.

IOS Families, Trains, and Naming Conventions A software release family is comprised of multiple IOS software release versions. What are the three features that distinguish an IOS software release family? ■

Share the same code base

■

Apply to a related platform (for example, 1900 series routers)

■

Overlap in support coverage

What are some major software releases within the software release family? 12.3, 12.4, 15.0, and 15.1 Briefly describe a software train. New versions are created to fix bugs and add new features to an existing software family. These releases are organized into trains that may contain several releases over the life of a software family. The Cisco IOS Software 12.4 train is considered the mainline train, which receives mostly software (bug) fixes with the goal of increasing software quality. These releases are also designated as Maintenance Deployment releases (MD). A mainline train is always associated with a technology train (T train). A T train, such as 12.4T, receives the same software bug fixes as the mainline train. What else does a T train include? T trains receive new software and hardware support features. T train releases are considered Early Deployment (ED) releases. Decoding the IOS release numbering conventions will go a long way in helping you understand the various trains used in the IOS 12.4 software release family. In Figure 9-1, indicate whether the release is a mainline train or a technology train. Then fill in the blanks for each part of the IOS 12 software release numbering scheme. Releases before IOS 15 consisted of eight packages for Cisco routers. These packages were the following: Five nonpremium packages:

instructor.indb 128

■

IP Base: Entry-level Cisco IOS Software Image

■

IP Voice: Converged voice and data, VoIP, VoFR, and IP Telephony

■

Advanced Security: Security and VPN features, including Cisco IOS Firewall, IDS/IPS, IPsec, 3DES, and VPN

■

SP (Service Provider) Services: Adds SSH/SSL, ATM, VoATM, and MPLS to IP Voice

■

Enterprise Base: Includes AppleTalk, IPX, and IBM Support

3/12/14 7:51 AM

Chapter 9: IOS Images and Licensing

Figure 9-1

129

The IOS 12.4 Software Release Numbering Convention 12.4(21 a)

12.4

12.4(20) T

1

12.4T

Figure 9-1a

The IOS 12.4 Software Release Numbering Convention (answer) 12.4(21 a)

12.4

Train Number Maintenance Identifier

Mainline Train

Rebuild Identifier

12.4(20) T

1

Train Number 12.4T

Maintenance Identifier Train Identifier

T Train

Rebuild Identifier

Three premium packages: ■

Advanced Enterprise Services: Full Cisco IOS software features

■

Enterprise Services: Enterprise base and service provider services

■

Advanced IP Services: Advanced security, service provider services, and support for IPv6

How does the Cisco IOS 15.0 release model differ from the mainline and T trains of 12.4? Instead of diverging into separate trains, Cisco IOS Software 15 mainline and T will have extended maintenance release (EM release) and standard maintenance release (T release). With the new IOS release model, Cisco IOS 15 mainline releases are referred to as M trains. New releases for the T trains are available two to three times a year. EM releases are available every 16 to 20 months.

instructor.indb 129

3/12/14 7:51 AM

130


In Figure 9-2, indicate whether the release is a mainline train or a technology train. Then fill in the blanks for each part of the IOS 15 software release numbering scheme. Figure 9-2

The IOS 15 Software Release Numbering Convention

15.0 (1) M1 15.0M

15.1 (1) T1 15.0T

Figure 9-2a

The IOS 15 Software Release Numbering Convention (answer) New Feature Release Number 15.0 (1) M1 15.0M

EM Release

Major Release Number Minor Release Number M = Extended Maintenance Release Maintenance Rebuild Number

New Feature Release Number 15.1 (1) T1 15.0T

T Release

Major Release Number Minor Release Number T = Standard Maintenance Release Maintenance Rebuild Number

Briefly explain how Services on Demand for Cisco Integrated Services Routers Generation Two (ISR G2) works. With the Services on Demand model, all features are included in one universal image shipped with all ISR G2s. The network administrator then activates feature sets using licensing keys. The IP base feature set is installed by default. What is the key difference between universalk9 and universalk9_npe IOS images? The universalk9_npe software image is provided for customers in those countries with import requirements disallowing routers with strong cryptography functionality. The npe extension to the image name stands for no payload encryption. Decode the IOS 12 image name in Table 9-1. The first one is done for you.

instructor.indb 130

3/12/14 7:51 AM


Table 9-1

131

Decoding IOS 12 Image Names

IOS Images

Hardware Feature Set

Train Maintenance Train Rebuild Number Release Identifier Identifier

c1841-ipbasek9-mz.124-12.bin

1841

Ipbasek9

12.4

12

M

c1841-advipservicesk9-mz.124-10b. bin

1841

Advanced 12.4 services

10

M

c3725-entbase-mz.124-6.T.bin

3725

Enterprise 12.4 base

6

T

b

Decode the IOS 15 image name in Table 9-2. The first one is done for you. Table 9-2

Decoding IOS 15 Image Names

IOS Images

Hardware Feature Set

Major Minor New Feature Maintenance Maintenance Release Release Release Release Rebuild

c1900-universalk9-mz. SPA.153-2.T.bin

1900

Universal 15

3

2

T

c2900-universalk9-mz. 2900 SPA.153-3.M.bin

Universal 15

3

3

M

c1841-advipservicesk9- 1841 mz.151-4.M6.bin

Advanced 15 services

1

4

M

6

Backing Up Cisco IOS Images To back up an IOS image to a TFTP server, complete the following steps: Step 1.

Ping the TFTP server to test connectivity.

Step 2.

Verify the TFTP server has enough memory to accept the image file. Use the show flash command to determine the size of the image.

Step 3.

Copy the image to the TFTP server using the copy source-url destination-url command.

In Figure 9-3, you are copying the image c1900-universalk9-mz.SPA.152-4.M1.bin from RTA to the TFTP server at 10.10.10.10. Record the commands, including the router prompt, to complete this task. Figure 9-3

Backing Up an IOS to a TFTP Server

RTA TFTP Server 10.10.10.10

RTA# ping 10.10.10.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

instructor.indb 131

3/12/14 7:51 AM

132


RTA# show flash -#- --length-- -----date/time------ path 1

67998028 Nov 30 1983 00:00:00 +00:00 c1900-universalk9-mz.SPA.152-4.M1.bin

188608512 bytes available (68001792 bytes used) RTA# copy flash tftp Source filename []? c1900-universalk9-mz.SPA.152-4.M1.bin Address or name of remote host []? 10.10.10.10 Destination filename [c1900-universalk9-mz.SPA.152-4.M1.bin]? !!!!!!!!!!!!!!!!!!!!!!!!! 67998028 bytes copied in 107.928 secs (630031 bytes/sec)

RTA#

Packet Tracer Activity Video Demonstration

Packet Tracer - Using a TFTP Server to Upgrade a Cisco IOS Image (SN 9.1.2.5/RP 10.1.2.5) Video Demonstration - Managing Cisco IOS Images (SN 9.1.2.6/RP 10.1.2.6)

IOS Licensing Before Cisco IOS Software Release 15.0, your router came with the IOS already installed for the features you desired. If you wanted to upgrade the feature set, you had to order, download, and install a new version. That all changed with 15.0. Each device ships with the same universal image. You enable the features you need through the use of licensing keys.

Software Licensing The feature sets that you enable with licensing keys are called technology packages. What are the four technology packages available? IP Base Data Unified Communications (UC) Security (SEC) On which Cisco ISR G2 platforms can these licenses be used? Cisco 1900, 2900, and 3900 series routers What command enables you to view the licenses currently supported on the router? Router# show license feature

What are the three major steps to activate a new software package or feature on the router?

instructor.indb 132

Step 1.

Purchase the software package or feature to be installed.

Step 2.

Obtain a Software Activation License file from Cisco.

Step 3.

Install the license file.

3/12/14 7:51 AM


133

What two things are needed to obtain a license? The product activation key (PAK) and a unique device identifier (UDI) How is the UDI constructed? The UDI is a combination of the product ID (PID), the serial number (SN), and the hardware version What command displays the UDI? Router# show license udi

What command installs the license? Router# license install stored-location-url

License Verification and Management After installing a license, you must reboot the router before the technology package is active and ready to use. What two commands are used in Example 9-1 to verify the licenses installed? Example 9-1

Verifying License Installation

Router# show version | begin License Info: License Info:

License UDI:

------------------------------------------------Device#

PID

SN

------------------------------------------------*0

CISCO1941/K9

FTX163283RZ

Technology Package License Information for Module:'c1900'

----------------------------------------------------------------Technology

Technology-package

Technology-package

Current

Next reboot

Type

-----------------------------------------------------------------ipbase

ipbasek9

Permanent

security

securityk9

EvalRightToUse securityk9

ipbasek9

data

None

None

None

Configuration register is 0x2102

instructor.indb 133

3/12/14 7:51 AM

134


Router# show license Index 1 Feature: ipbasek9 Period left: Life time License Type: Permanent License State: Active, In Use License Count: Non-Counted License Priority: Medium Index 2 Feature: securityk9 Period left: 8

weeks 1

Period Used: 2

days 0

day hour

License Type: EvalRightToUse License State: Active, In Use License Count: Non-Counted License Priority: Low Index 3 Feature: datak9 Period left: Not Activated Period Used: 0

minute

0

second

License Type: EvalRightToUse License State: Not in Use, EULA not accepted License Count: Non-Counted License Priority: None

In Example 9-1, the datak9 technology package is not in use. Record the commands, including the router prompt, to accept the EULA and activate the datak9 package. Router(config)# license accept end user agreement Router(config)# license boot module c1900 technology-package securityk9

What message do you receive when activate a package? % use 'write' command to make license boot config take effect on next boot

To back up your license files, save them to flash. Record the command, including the router prompt, to save the license files to flash. Router(config)# license save flash0:R1_license_files

Complete the following steps to uninstall a license: Step 1.

Disable the technology package. Record the command, including the router prompt, to disable the datak9 technology package. Router(config)# license boot module c1900 technology-package datak9 disable

Step 2.

After reloading the router, clear the license from storage. Record the commands, including the router prompt, to clear the datak9 technology package. Router# license clear datak9 Router# configure terminal Router(config)# no license boot module c1900 technology-package datak9 disable

instructor.indb 134

3/12/14 7:51 AM



135

Packet Tracer - EIGRP Capstone (SN 9.3.1.2/RP 10.3.1.2) Packet Tracer - OSPF Capstone (SN 9.3.1.3/RP 10.3.1.3) Packet Tracer - Skills Integration Challenge (SN 9.3.1.4/RP 10.3.1.4)

Video Demonstration

instructor.indb 135

Video Demonstration - Working with IOS 15 Image Licenses (SN 9.2.2.5/RP 10.2.2.5)

3/12/14 7:51 AM

instructor.indb 136

3/12/14 7:51 AM

CHAPTER 10


Part of your job as a network administrator is understanding how to build networks that are flexible, resilient, and manageable. Even if your direct responsibilities do not include actually designing the network, you still need a firm grasp of the benefits incurred from using a systematic design approach.

instructor.indb 137

3/12/14 7:51 AM

138


Hierarchical Network Design Overview Networks come in all sizes. The size of the network is directly proportional to the complexity of the design. However, structured engineering principles can help guide the designer in formulating a plan even for the most complex networks.

Enterprise Network Campus Design What are the three main categories of network sizes and how are they distinguished? Small network for up to 200 devices Medium-sized network for 200 to 1000 devices Large network for 1000+ devices In Table 10-1, indicate the structured engineering principle that is best described by the characteristic. Table 10-1

Structured Engineering Principles

Characteristic

Hierarchy

Modularity Resiliency

Is available to users regardless of the current conditions High-level tool for designing a reliable network

Flexibility

X X

Can be easily modified Examples include the data center and the Internet edge

X X

Hierarchical Network Design Briefly describe the three layers of the hierarchical network design. ■

Access layer: Provides workgroup/user access to the network

■

Distribution layer: Provides policy-based connectivity and controls the boundary between the access and core layers

■

Core layer: Provides fast transport between distribution switches within the enterprise campus

In Table 10-2, indicate the layer that is best described by the function Table 10-2

Hierarchical Network Layer Functions

Layer Function

Access

Distribution

Highest speed switching of the three layers

X

Policy-based security Port security

instructor.indb 138

X X

Redundancy and load balancing

X

Broadcast domain control

X

Spanning tree

Core

X

3/12/14 7:51 AM

Chapter 10: Hierarchical Network Design

Layer Function

Access

Layer 2 switching

Distribution

139

Core

X

Avoid CPU-intensive packet manipulation

X

Aggregates traffic from distribution devices

X

Aggregating LAN and WAN links

X

Briefly explain the concept of a collapsed core. Small networks and many medium-sized networks are not large enough to justify the expense and complexity of different devices at each of the three layers. A collapsed core design incorporates the distribution and core layer functions in one device. This reduces the costs of the design while still maintaining the benefits of a hierarchical design.

Cisco Enterprise Architecture Hierarchical network design is fine for campus network implementations. But the networks for many organizations span larger areas than just a campus to include teleworkers, branch sites, and data centers. These networks call for design approach where functions can be separated into modules.

Modular Network Design Briefly describe three benefits for using a modular approach to network design. Failures that occur within a module can be isolated from the remainder of the network. Network changes, upgrades, or the introduction of new services can be made in a controlled and staged fashion. When a specific module no longer has sufficient capacity or is missing a new function or service, it can be updated or replaced by another module. Security can be implemented on a modular basis. In Table 10-3, indicate which module is described by the feature. Table 10-3

Features of Modules in the Enterprise Architecture

Module Feature

AccessDistribution

Services

Provides resources necessary to employees so that they can effectively create, collaborate, and interact X X

Consists of the Internet Edge and WAN Edge

X

Provide connectivity outside the enterprise

X

Originally called the server farm

instructor.indb 139

Enterprise Edge

X

Could include wireless controls, policy gateways, and unified communications services Fundamental component of a campus design

Data Center

X

3/12/14 7:51 AM

140


In Figure 10-1, label the modules of the Enterprise Architecture. Figure 10-1

Identify Modules of the Enterprise Architecture

Services Block

Data Center

MetroE

HDLC

Figure 10-1a Identify Modules of the Enterprise Architecture (answer)

Access

Distribution Internet Edge

Services Block

Core Data Center

WAN Edge MetroE

HDLC

Cisco Enterprise Architecture Model What are the three primary modules of the Cisco Enterprise Architecture model? Enterprise Campus Enterprise Edge Service Provider Edge

instructor.indb 140

3/12/14 7:51 AM


141

Which module provides connectivity to the data center, branches, and teleworkers? Service Provider Edge What are the submodules of the Enterprise Campus module? Building Access Building Distribution Campus Core Data Center What are the submodules of the Enterprise Edge module? E-Commerce Internet Connectivity Remote Access and VPN WAN Site-to-Site VPN What is the main purpose of the Service Provider Edge module? The Service Provider Edge module provides connectivity between the Enterprise Edge module and submodules of the Remote module (Branch Locations, Teleworkers, Data Center). In Table 10-4, indicate the service provider solution described. Table 10-4

Service Provider Designs

Service Provider Connectivity Solution

SingleHomed

DualHomed

Multihomed

Connections to 2 or more ISPs

DualMultihomed

X

A single connection to 1 ISP

X

Multiple connections to 2 or more ISPs

X

2 or more connections to 1 ISP

X

What are the submodules of the remote module? Enterprise Branch Enterprise Teleworker Enterprise Data Center In Table 10-5, indicate which module is best described by the function. Table 10-5

Cisco Enterprise Architecture Model Functions

Cisco Enterprise Architecture Feature

Aggregates connectivity from various functional areas.

Enterprise Campus

Enterprise Edge


X

Allows employees to work at noncampus locations. Provides cost-effective access across large geographic areas.

instructor.indb 141

Remote

X X

3/12/14 7:51 AM

142


Cisco Enterprise Architecture Feature

Enterprise Campus

Enterprise Edge


Could use high-end Cisco Catalyst switches or just a ISR G2, depending on size of location.

X

Authenticates remote users and branch sites.

X

Incorporates the enterprise WAN links.

X

Uses multicast traffic and QoS to optimize network traffic.

X

Connects users with campus, server farm, and enterprise edge.

X

Mobile users connect using a local ISP. High availability through resilient hierarchical network design.

X X

Converges voice, video, and data across a single IP communications network.

X

Offsite data center to provide disaster recovery and business continuance services.

X

Devices located here include firewall and firewall routers, and network intrusion prevention systems.

X

Routes traffic into the Campus Core submodule.

X

Access management with VLANs and IPsec.

X

Supports security over Layer 2 and Layer 3 WANs. Provides internal users with secure connectivity to Internet services.

Remote

X X

In Figure 10-2, label the modules and submodules of the Cisco Enterprise Architecture model.

instructor.indb 142

3/12/14 7:51 AM


143

Figure 10-2 Cisco Enterprise Architecture Model

Building Distribution


E-Commerce ISP A

ISP B


PSTN

WAN Site-to-site VPN Frame Relay, ATM, MAN, ...

Network Management

Figure 10-2a Cisco Enterprise Architecture Model (answer) Enterprise Campus

Enterprise Edge


Building Access

Enterprise Branch

Campus Core


E-Commerce

Building Distribution

Remote

ISP A

Internet Connectivity ISP B


Remote Access and VPN PSTN Server Farm and Data Center

Enterprise Data Center WAN Site-to-site VPN

Network Management

instructor.indb 143


3/12/14 7:51 AM

144


Evolving Network Architectures Network architectures need to rapidly evolve to meet the needs of users. Traditionally, employees and students alike used devices provided by the organization. However, you more than likely currently use some type of mobile device to conduct some of your business or school work. Today’s enterprise networks should seamlessly provide services to users of all modes of access.

Cisco Enterprise Architectures What are the top trends that are impacting networks? Bring your own device (BYOD) Online collaboration Video communication Cloud computing What network architectures has Cisco introduced to address these trends? Cisco Borderless Network Architecture Collaboration Architecture Data Center/Virtualization Architecture

Emerging Network Architectures What are the two primary sets of services provided by the Cisco Borderless Network Architecture? Borderless end-point/user services Borderless network services What are the three layers of the Cisco Collaboration Architecture? Application and Devices Collaboration Services Network and Computer Infrastructure What are the three components of the Cisco Data Center/Virtualization Architecture? Cisco Unified Management Solutions Unified Fabric Solutions Unified Computing Solutions In Table 10-6, indicate the emerging network architecture described by the feature or service.

instructor.indb 144

3/12/14 7:51 AM


Table 10-6

Emerging Network Architectures

Emerging Network Architecture Functions and Services

Cisco Borderless Networks

Cisco Collaboration Architecture

Comprehensive set of technologies that bring together the network, computing, and storage platforms.

Any device must be able to connect securely, reliably, and seamlessly from anywhere.

X X

Portfolio of products, applications, and software development kits that provide a comprehensive solution to allow people to cooperate and contribute to the production of something. Unified approach to deliver application services to users in a highly distributed environment.

X

X

Network infrastructure and services are united via Cisco unified system services options.

instructor.indb 145

Cisco Data Center/ Virtualization Architecture

X

Applications include WebEx Meeting, WebEx Social, Cisco Jabber, and TelePresence.


145

X

Packet Tracer - Skills Integration Challenge - OSPF (CN 1.4.1.2) Packet Tracer - Skills Integration Challenge - EIGRP (CN 1.4.1.3)

3/12/14 7:51 AM

instructor.indb 146

3/12/14 7:51 AM

CHAPTER 11


Wide-area networks (WANs) are used to connect remote LANs together. Various technologies are used to achieve this connection. This chapter reviews WAN technologies and the many WAN services available.

instructor.indb 147

3/12/14 7:51 AM

148


WAN Technologies Overview WAN access options differ in technology, speed, and price. Each has advantages and disadvantages. Selecting the best technology depends largely on the network design.

Network Types and Their Evolving WAN Needs The WAN needs of a network depend greatly on the size of the network. These network types run the spectrum from small offices that really only need a broadband connection to the Internet all the way up to multinational enterprises that need a variety of WAN options to satisfy local, regional, and global restrictions. In Table 11-1, indicate the network type that fits each of the descriptions. Some descriptions may apply to more than one network type. Table 11-1

Identify the Network Type

Network Description

Outsourced IT support

Small Office Network

Campus Network

Branch Network

X

Very large sized business Connectivity to the Internet

X X

Converged network and application services

X

Hundreds of employees

X

X

Home, branch, and regional offices, teleworkers, and a central office Limited number of employees

X

X

In-house IT staff and network support

X

X

Thousands of employees

instructor.indb 148

X X

Several remote, branch, and regional offices (one central office)

X

Small-sized business

X

LAN focus of operations with broadband

X

Small to medium-sized business

X

Multiple campus LANs

X

Medium-sized business

Distributed Network

X

3/12/14 7:51 AM

Chapter 11: Connecting to the WAN

149

WAN Operations and Terminology WANs operate at which layers of the OSI model? Data link (Layer 2) and physical (Layer 1) Which organizations are responsible for WAN standards? Telecommunication Industry Association and the Electronic Industries Alliance (TIA/EIA) International Organization for Standardization (ISO) Institute of Electrical and Electronics Engineers (IEEE) What are some of the Layer 2 WAN technologies? Frame Relay, Point-to-Point Protocol (PPP), MetroEthernet, VSAT, MPLS, Broadband Why is the Layer 2 address field not usually used in WAN services? WAN links are normally point to point. Therefore, there is no need for a data link layer address.

instructor.indb 149

3/12/14 7:51 AM

150


Match the definition on the left with a term on the right. This exercise is a one-to-one matching. Definitions a. The boundary between customer equipment

and service provider equipment b. Devices inside the enterprise edge wiring

closet that are owned or leased by the organization c. Provider equipment that resides in the WAN

backbone capable of supporting routing protocols d. Digital modem used by DSL or cable Internet

service providers e. Dynamically establishes a dedicated circuit

before communication starts f. Provides an interface to connect subscribers to

a WAN link g. Splits traffic so that it can be routed over the

shared network h. Local service provider facility that connects

the CPE to the provider network

Terms g. Packet-switched network n. WAN switch b. Customer premises equipment (CPE) h. Central office (CO) o. Dialup modem p. Access server f. Data communications equipment (DCE) l. Router m. Data terminal equipment (DTE) i. Local loop j. CSU/DSU e. Circuit-switched network a. Demarcation point d. Broadband modem k. Toll network c. Core multilayer switch

i. Physical connection between the CPE to the

CO j. Required by digital leased lines to provide ter-

mination of the digital signal and convert into frames ready for transmission on the LAN k. Consists of the all-digital, long-haul commu-

nications lines, switches, routers, and other equipment in the provider network l. Customer device that provides internetwork-

ing and WAN access interface ports m. Customer device that transmits data over the

WAN link n. Multiport device that sits at the service pro-

vider edge to switch traffic o. Legacy technology device that converts digital

signals into analog signals transmitted over telephone lines p. Legacy technology device that can support

hundreds of dial-in and dial-out users

instructor.indb 150

3/12/14 7:51 AM


151

Selecting a WAN Technology The WAN access connections your small to medium-sized business purchases could use a public or private WAN infrastructure—or a mix of both. Each type provides various WAN technologies. Understanding which WAN access connections and technologies are best suited to your situation is an important part of network design.

Varieties of WAN Link Connections Your ISP can recommend several WAN link connection options that based on your specific requirements. These options can be classified in various categories. Use the list of WAN access options to label Figure 11-1. Figure 11-1

WAN Access Options WAN

Public

Dedicated

instructor.indb 151

Internet

3/12/14 7:51 AM

152


Figure 11-1

WAN Access Options (answer) WAN

Private

Dedicated

Public

Switched

Internet

Leased Lines

CircuitSwitched

PacketSwitched

Broadband VPN

T1/E1 T3/E3

PSTN ISDN

Metro Ethernet MPLS Frame Relay ATM

DSL Cable Wireless

Labels T1/E1/T3/E3

ATM

Switched

Frame Relay

Circuit switched

Packet switched

Metro Ethernet

Cable

Wireless

MPLS

PSTN

DSL

VPN

Private

Broadband

ISDN

Leased lines

Private and Public WAN Access Options As shown in Figure 11-1, WAN access options can first be classified as either private or public. Table 11-2 lists descriptions for various private WAN access options. Indicate which one is described. Some options are described more than once. Table 11-2

Private WAN Access Options


Considered the most expensive of all WAN access technologies.

Leased MPLS Ethernet ATM ISDN Lines WAN

instructor.indb 152

Dialup Frame Relay

X

Analog telephone lines are used to provide a switched WAN connection. A permanent, dedicated WAN connection which uses a T- or E-carrier system.

VSAT

X

X

3/12/14 7:51 AM



Leased MPLS Ethernet ATM ISDN Lines WAN

Satellite to router communications for WAN connections. X

X

X

Connects multiple sites using virtual circuits and data-link connection identifiers. Includes MetroE, EoMPLS, and VPLS as WAN connection options.

X

Converts analog to digital signals to provide a switched WAN connection over telephone lines. A popular replacement for traditional Frame Relay and ATM WAN access technologies.

instructor.indb 153

Dialup Frame Relay

X

Delivers data using fixed 53-byte packet cells over permanent and switched virtual circuits. Service providers and short-path labeling are used for leased lines, Ethernet WANs, and Frame Relay WANs.

VSAT

153

X

X

3/12/14 7:51 AM

154


Match the definition on the left with a public WAN access option on the right. This exercise is a one-to-one matching. Public WAN Access Options

Definitions a. Radio and directional-antenna modem WAN

access option provided to public organizations b. WAN access option that uses telephone lines

to transport data via multiplexed links c. High-speed long-distance wireless connections

through nearby special service provider towers d. Cellular radio waves WAN access option used

with smartphones and tablets e. Dish and modem-based WAN access option

d. 3G/4G Cellular f. VPN Remote c. WiMax e. Satellite Internet b. DSL h. Cable a. Municipal WiFi g. VPN site-to-site

for rural users where cable and DSL are not available f. Secure Internet-based WAN access option

used by teleworkers and extranet users g. Entire networks connected together by using

VPN routers, firewalls, and security appliances h. A shared WAN access option that transports

data using television-signal networks Lab - Researching WAN Technologies (CN 2.2.4.3)

instructor.indb 154

3/12/14 7:51 AM

CHAPTER 12


Point-to-point connections are the most common type of WAN connections. These connections are also called serial or leased lines. This chapter reviews the terms, technology, and protocols used in serial connections.

instructor.indb 155

3/12/14 7:51 AM

156


Serial Point-to-Point Overview Understanding how point-to-point serial communication across a leased line works is important to an overall understanding of how WANs function.

Serial Communications Briefly explain the difference between serial and parallel communications. In serial communications, the data is sent 1 bit at a time down one link. In parallel communications, bits are transmitted simultaneously over multiple links. What is clock skew issue in parallel communications? Clock skew is when the bits do not arrive at the same time causing synchronization issues.

instructor.indb 156

3/12/14 7:51 AM

Chapter 12: Point-to-Point Connections

157

Match the serial communications definition on the left with a term on the right. This is a one-to-one matching exercise. Definitions a. Cable that allows two WAN end devices to be

directly connected together

Terms h. Physical k. DCE

b. Signals sent sequentially 1 bit after another

f. Demarc

c. A networking device that converts signals into

n. CPE

an ISP WAN circuit format d. Universal ports that have replaced both

RS-232 and parallel ports on newer PCs e. A WAN connection that interconnects two

LANs directly f. The point at the customer site where the ISP

network ends g. A technique that reassembles multiple data

transmissions h. The OSI layer where time-division multiplex-

ing (TDM) operates

i. ISDN l. DTE j. Variable m. Parallel c. CSU/DSU d. USB e. Leased line a. Null modem b. Serial g. Bit interleaving

i. A WAN technology that uses TDM j. The way that STDM divides bandwidth into

multiple slots for data transmission k. Provides a clocking signal for the WAN circuit l. LAN/WAN routers at the customer location m. Transmission signals split between multiple

wires concurrently n. The network equipment connected to the

WAN circuit at the customer location

instructor.indb 157

3/12/14 7:51 AM

158


WAN Protocols Just like LANs, data is encapsulated into frames before transmission onto a WAN link. Various encapsulation protocols can be used to achieve the framing. In Table 12-1, indicate which protocol best fits the description. Table 12-1

WAN Encapsulation Protocols

WAN Protocol Description

HDLC

Provides connections over synchronous and asynchronous circuits

PPP

SLIP

X.25/LAPB

Frame Relay ATM

X

International standard for cell relay

X

Predecessor to Frame Relay

X

Default encapsulation on a serial link between two Cisco devices

X

Eliminates the need for error correction and flow control Forms the basis for synchronous PPP

X X

Built-in security with PAP and CHAP

X

Transfers data 53 bytes at a time so that processing can occur in hardware

X

Next-generation protocol after X.25

X

Largely replaced by PPP

X

An ITU-T standard that defines connections between a DTE and DCE

X

HDLC Encapsulation What is the major difference between the ISO 13239 HDLC standard and Cisco’s implementation of HDLC? Cisco’s implementation of HDLC uses a Protocol field to support multiple protocols. In Figure 12-1, label the fields of Cisco HDLC frame. Figure 12-1

Cisco HDLC Frame Format

Figure 12-1a Cisco HDLC Frame Format (answer)

Flag

instructor.indb 158

Address

Control

Protocol

Data

FCS

Flag

3/12/14 7:51 AM


159

List the three different formats of the Control field. Information (I) Frame Supervisory (S) Frame Unnumbered (U) Frame

HDLC Configuration and Troubleshooting Although High-Level Data Link Control (HDLC) is the default encapsulation on Cisco synchronous serial lines, you may need to change the encapsulation back to HDLC. Record the commands, including the router prompt, to change the first serial interface on a 1900 series router to HDLC. R1# configure terminal R1(config)# interface serial 0/0/0 R1(config-if)# encapsulation hdlc

Troubleshooting Serial Interfaces Troubleshooting the cause of a serial interface issue usually begins by entering the show interface serial command. This command can return one of six possible statuses for the line. In Table 12-2, indicate what status would display for each of the conditions of the serial interface. Some statuses are used more than once. Table 12-2

Line Conditions and Status Indicators

Condition of the Serial Interface

Serial X Is Up, Line Protocol Is Up

Serial X Is Down, Line Protocol Is Down

Serial X Is Up, Line Protocol Is Down

Serial X Is Up, Line Protocol Is Up (Looped)

A high error rate has occurred due to a WAN service provider problem. X

The router configuration includes the shutdown interface configuration command.

X

Cabling is faulty or incorrect.

X X

The clockrate command is not configured on the interface.

The router is not sensing a carrier detect (CD) signal. The same random sequence number in the keepalive is returned over the link.

instructor.indb 159

Serial X Is Administratively Down, Line Protocol Is Down

X

Keepalives are not being sent by the remote router.

This is the proper status line condition.

Serial X Is Up, Line Protocol Is Down (Disabled)

X X X

3/12/14 7:51 AM

160


What command will show whether a DTE or DCE cable is attached to the interface? show controllers Packet Tracer Activity

Packet Tracer - Troubleshooting Serial Interfaces (CN 3.1.2.7)

PPP Operation PPP encapsulation has been carefully designed to retain compatibility with most commonly used supporting hardware. PPP encapsulates data frames for transmission over Layer 2 physical links.

PPP Components Briefly described the three main components of PPP. ■

HDLC-like framing for transporting multiprotocol packets over point-to-point links

■

Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection

■

Network Control Protocols (NCPs) for establishing and configuring different network layer protocols

In Figure 12-2, fill in the missing parts of the PPP layered architecture. Figure 12-2 PPP Layered Architecture IPv4

IPv6

IPCP

IPv6CP Network Layer

PPP Data Link Layer

Physical Layer

Figure 12-2a PPP Layered Architecture (answer) IPv4

IPv6

IPCP

IPv6CP Network Layer

Network Control Protocol (NCP) PPP

instructor.indb 160

Authentication, Other Options Link Control Protocol (LCP)

Data Link Layer

Synchronous or Asynchronous Physical Media

Physical Layer

3/12/14 7:51 AM


161

List the type of physical interfaces supported by PPP. ■

Asynchronous serial

■

Synchronous serial

■

HSSI

■

ISDN

What automatic configurations does the Link Control Protocol (LCP) provide at each end of the link? ■

Handling varying limits on packet size

■

Detecting common misconfiguration errors

■

Terminating the link

■

Determining when a link is functioning properly or when it is failing

Briefly describe how PPP uses Network Control Protocol (NCP). PPP uses NCPs to negotiate the Layer 3 protocols that will be used to carry data packets. They provide functional fields containing standardized codes to indicate the network layer protocol type that PPP encapsulates. In Table 12-3, indicate whether each characteristic describes LCP or NCP. Table 12-3

LCP and NCP Characteristics

Characteristic

LCP

Can configure authentication, compression, and error detection

X

NCP

Bring network layer protocols up and down

X

Encapsulate and negotiate options for IPv4 and IPv6

X

Negotiate and set up control options on the WAN circuit

X

Handles limits on packet size

X

Establish, configure, and test the data link connection

X

Uses standardized codes to indicate the network layer protocol

X

Determine if link is functioning properly

X

Terminate the link

X

Manage packets from several network layer protocols

X

Figure 12-3 shows the PPP frame format. Answer the following questions about the specific features and purpose of each field. Figure 12-3 PPP Frame Format Field Length, in Bytes

instructor.indb 161

1

1

1

2

Variable

2 or 4

1

Flag

Address

Control

Protocol

Data

FCS

Flag

3/12/14 7:51 AM

162


What is the bit pattern for the Flag field? 01111110 Why is the Address field all 1s or 0xFF? On a point-to-point link, the destination node does not need to be addressed. What is the purpose of the Control field? The Control field calls for transmission of user data in an unsequenced frame, providing a connectionless link that does not require data links to be established. What is the purpose of the Protocol field? The Protocol field uses a 2-byte value to identify what network layer protocol is encapsulated in the data. What is the default size of the information stored in the Data field? 1500 bytes What does FCS stand for and what is the purpose of this field? The Frame Check Sequence field is used by the receiver to test the integrity of the frame received. If the FCS calculated by the receiver doesn’t match, the frame is silently discarded.

PPP Sessions What are the three phase for establishing a PPP session? ■

Phase 1: Link establishment and configuration negotiation

■

Phase 2: Link quality determination (optional)

■

Phase 3: Network layer protocol configuration negotiation

Figure 12-4 shows a partially labeled flowchart for the LCP link negotiation process. Complete the flowchart by properly labeling it with the provided steps. Figure 12-4 Steps in the LCP Link Negotiation Process

Sends ConfigureRequest

All options acceptable?

Yes

No Yes

All options recognized?

No Determine new negotiation parameters

instructor.indb 162

Yes

Authentication option?

No

Link is established

3/12/14 7:51 AM


163

Figure 12-4a Steps in the LCP Link Negotiation Process (answer)

Sends ConfigureRequest

Process ConfigureRequest

All options acceptable?

Yes

Send Configure-Ack

Receive Configure-Ack

No

Send Configure-Nak

Yes

All options recognized?

Authentication Phase

Yes

Authentication option?

No Determine new negotiation parameters

Send ConfigureReject

No

Link is established

Missing Labels for Figure 12-4 ■

Send Configure-Reject

■

Receive Configure-Ack

■

Process Configure-Request

■

Send Configure-Ack

■

Authentication Phase

■

Send Configure-Nak

PPP can be configured to support optional functions, including the following: ■

Authentication using either PAP or CHAP

■

Compression using either Stacker or Predictor

■

Multilink that combines two or more channels to increase the WAN bandwidth

After the link is established, the LCP passes control to the appropriate NCP. Figure 12-5 shows the NCP process for IPv4. Complete the figure by properly labeling it with the provided phases and steps. Missing Labels for Figure 12-5

instructor.indb 163

■

IPv4 Data Transfer

■

NCP Termination

■

IPCP Configure-Request

■

IPCP Configure-Ack

■

IPCP Terminate-Request

■

LCP Maintenance

■

IPCP Terminate-Ack

■

NCP Configuration

3/12/14 7:51 AM

164


Figure 12-5 The NCP Process

LCP Configuration

IPv4 DATA Exchange

LCP Termination

Figure 12-5a The NCP Process (answer)

LCP Configuration

IPCP Configure-Request IPCP Configure-Ack

NCP Configuration

IPv4 Data Transfer and LCP Maintenance

IPv4 DATA Exchange

IPCP Terminate-Request NCP Termination

IPCP Terminate-Ack

LCP Termination

instructor.indb 164

3/12/14 7:51 AM


165

Configure PPP PPP is a robust WAN protocol supporting multiple physical layer and network layer implementations. In addition, PPP has many optional features the network administrator can choose to implement.

Basic PPP Configuration with Options Figure 12-6 shows the topology and Table 12-4 shows the addressing we will use for PPP configuration. Figure 12-6 PPP Topology S0/0/0

S0/0/0 RTA

.2

.1

RTB

172.16.1.0/30 2001:DB8:1:F::/64

Table 12-4 Device

Addressing Table for PPP Interface

IPv4 Address

Subnet Mask

IPv6 Address/Prefix

RTA

S0/0/0

172.16.1.1

255.255.255.252

2001:DB8:1:F::1/64 RTB

S0/0/0

172.16.1.2

255.255.255.252

2001:DB8:1:F::2/64

Assume that the router interfaces are already configured with IPv4 and IPv6 addressing. RTB is fully configured with PPP. Record the commands, including the router prompt, to configure RTA with a basic PPP configuration. RTA# configure terminal RTA(config)# interface serial 0/0/0 RTA(config-if)# encapsulation ppp

RTB is configured for software compression using the Stacker compression algorithm. What happens if RTA is not configured with compression? During the LCP negotiation phase, RTA and RTB will negotiate to not use compression. Record the command, including the router prompt, to configure the same compression on RTA. RTA(config-if)# compress stac

RTB is configured to take down the link if the quality falls below 70 percent. Record the command, including the router prompt, to configure the equivalent on RTA. RTA(config-if)# ppp quality 70

In Figure 12-7, RTA and RTB are now using two serial links to transfer data. RTB is already configured with PPP multilink to load balance the traffic to RTA. Record the commands, including the router prompt, to configure the RTA multilink interface including IPv4 and IPv6 addressing and the necessary commands for the serial interfaces. Use the addressing in Table 12-4 for the multilink interface rather than Serial 0/0/0.

instructor.indb 165

3/12/14 7:51 AM

166


Figure 12-7

PPP Multilink Topology S0/0/0

S0/0/0 RTA

S0/0/1

S0/0/1

RTB

172.16.1.0/30 2001:DB8:1:F::/64

RTA(config)# interface multilink 1 RTA(config-if)# ip address 172.16.1.1 255.255.255.252 RTA(config-if)# ipv6 address 2001:db8:1:f::1/64 RTA(config-if)# ppp multilink RTA(config-if)# ppp multilink group 1 RTA(config-if)# interface serial 0/0/0 RTA(config-if)# no ip address RTA(config-if)# no ipv6 address RTA(config-if)# encapsulation ppp RTA(config-if)# ppp multilink RTA(config-if)# ppp multilink group 1 RTA(config-if)# interface serial 0/0/1 RTA(config-if)# no ip address RTA(config-if)# no ipv6 address RTA(config-if)# encapsulation ppp RTA(config-if)# ppp multilink RTA(config-if)# ppp multilink group 1

You can verify the operation of PPP using the following show commands. Record the commands used to generate the output on RTA. RTA# show interface serial 0/0/0 Serial0/0/0 is up, line protocol is up Hardware is WIC MBRD Serial Internet address is 172.16.1.1/30 MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation PPP, LCP Open Open: IPCP, IPV6CP, CCP, CDPCP, loopback not set Keepalive set (10 sec)

RTA# show ppp multilink

Multilink1 Bundle name: RTA Remote Endpoint Discriminator: [1] RTB Local Endpoint Discriminator: [1] RTA

instructor.indb 166

3/12/14 7:51 AM


167

Bundle up for 00:01:20, total bandwidth 3088, load 1/255 Receive buffer limit 24000 bytes, frag timeout 1000 ms 0/0 fragments/bytes in reassembly list 0 lost fragments, 0 reordered 0/0 discarded fragments/bytes, 0 lost received 0x2 received sequence, 0x2 sent sequence Member links: 2 active, 0 inactive (max 255, min not set) Se0/0/0, since 00:01:20 Se0/0/1, since 00:01:06 No inactive multilink interfaces

PPP Authentication Briefly explain the difference between PAP and CHAP. PAP uses a two-way process to authenticate with unencrypted plain-text passwords. CHAP uses a three-way process with an encrypted hash value generated by the MD5 algorithm. The password is never sent. PAP is not interactive. When you configure an interface with the ppp authentication pap command, the username and password are sent as one LCP data package. You are not prompted for a username. The receiving node checks the username and password combination and either accepts or rejects the connection. List three situations where PAP would be the appropriate choice for authentication. ■

A large installed base of client applications that do not support CHAP

■

Incompatibilities between different vendor implementations of CHAP

■

Situations where a plain-text password must be available to simulate a login at the remote host

Once PAP authentication is established, the link is vulnerable to attack. Why? PAP does not reauthenticate. So, a hacker can piggyback on an open connection. CHAP challenges periodically to make sure that the remote node still has a valid password. Complete the missing information in the following steps as RTA authenticates with RTB using CHAP.

instructor.indb 167

Step 1.

RTA initially negotiates the link connection using LCP with router RTB, and the two systems agree to use CHAP authentication during the PPP LCP negotiation.

Step 2.

RTB generates an ID and a random number, and sends that and its username as a CHAP challenge packet to RTA.

Step 3.

RTA uses the username of the challenger (RTB) and cross references it with its local database to find its associated password. RTA then generates a unique MD5 hash number using the RTB’s username, ID, random number, and the shared secret password.

Step 4.

RTA then sends the challenge ID, the hashed value, and its username (RTA) to RTB.

3/12/14 7:51 AM

168


Step 5.

RTB generates its own hash value using the ID, the shared secret password, and the random number it originally sent to RTA.

Step 6.

RTB compares its hash value with the hash value sent by RTA. If the values are the same, RTB sends a link established response to RTA.

When authentication is local (no AAA/TACACS+), what is the command syntax to configure PPP authentication on an interface? Router(config-if)# ppp authentication {chap | chap pap | pap chap | pap }

Assume that both PAP and CHAP are configured with the command ppp authentication chap pap on the interface. Explain how authentication will proceed. The first method specified, CHAP, will be requested during link negotiation. If the receiving node is not configured for CHAP, the second method specified, PAP, will be used.

PAP Configuration In Figure 12-6, RTB is already configured with PAP authentication with the password cisco123. Record the commands to configure PAP on RTA. RTA(config)# username RTB password cisco123 RTA(config)# interface s0/0/0 RTA(config-if)# ppp authentication pap RTA(config-if)# ppp pap sent-username RTA password cisco123

CHAP Configuration CHAP uses one less command than PAP. Now record the commands to remove PAP and configure RTA to use CHAP authentication. RTA(config)# interface s0/0/0 RTA(config-if)# no ppp authentication pap RTA(config-if)# no ppp pap sent-username RTA password cisco123 RTA(config-if)# ppp authentication chap

Packet Tracer - Configuring PAP and CHAP Authentication (CN 3.3.2.7) Lab - Configuring Basic PPP with Authentication (CN 3.3.2.8)

Troubleshoot WAN Connectivity If you cannot ping across a PPP link and you have checked the physical and data link layer issues reviewed in the “Troubleshooting Serial Interfaces” section earlier, the issue is probably the PPP configuration. You can use the debug command to troubleshoot PPP issues using the debug ppp {parameter} syntax. Based on the descriptions in Table 12-5, fill in the corresponding parameter you would use with the debug ppp command.

instructor.indb 168

3/12/14 7:51 AM


Table 12-5

169

Parameters for the debug ppp Command

Parameter

Usage

error

Displays issues associated with PPP connection negotiation and operation

compression

Displays information specific to the exchange of PPP connections using MPPC

negotiation

Displays PPP packets transmitted during PPP startup

packet

Displays PPP packets being sent and received

authentication

Displays authentication protocol messages

cbcp

Displays protocol errors and statistics associated with PPP connection negotiations using MSCB

Lab - Troubleshooting Basic PPP with Authentication (CN 3.4.1.5) Packet Tracer Activity

instructor.indb 169

Packet Tracer - Troubleshooting PPP with Authentication (CN 3.4.1.4) Packet Tracer - Skills Integration Challenge (CN 3.5.1.2)

3/12/14 7:51 AM

instructor.indb 170

3/12/14 7:51 AM

CHAPTER 13

Frame Relay

Although newer services are rapidly replacing it in some locations, Frame Relay has been a popular alternative to expensive dedicated leased lines. Frame Relay provides a cost-efficient solution for WAN access between multiple sites. This chapter reviews Frame Relay technology, configuration, verification, and troubleshooting.

instructor.indb 171

3/12/14 7:51 AM

172


Introduction to Frame Relay Frame Relay is a high-performance WAN protocol that operates at the physical and data link layers of the OSI reference model. Unlike leased lines, Frame Relay requires only a single access circuit to the Frame Relay provider to communicate with other sites connected to the same provider.

Frame Relay Concepts and Terminology Match the definition on the left with a term on the right. Terms are only used once. Definitions a. Bandwidth “borrowing” from other PVCs

when available b. Read Frame Relay was popular when com-

pared to private leased lines c. A preconfigured logical path between two

endpoints and assigned a DLCI d. A logical connection that is established

dynamically for the time needed e. The equivalent of 24 DS0 channels

Terms m. Access rate n. ANSI k. Black hole a. Bursting f. CIR b. Cost savings p. DE h. Disable

f. Guaranteed bandwidth for a specific PVC

l. DLCI

g. Downstream notification that there is conges-

r. DTE

tion on a Frame Relay switch h. Manual configuration will do this to the auto-

sensing of LMI-type feature on Cisco routers

g. FECN q. Inverse ARP j. LMI

i. Holding frame in a buffer before sending

c. PVC

j. Frame Relay extension that allows the DTE to

i. Queuing

discover the list of available DLCIs configured on the access link k. A PVC that no longer exists l. Used to identify each Frame Relay circuit

endpoint

o. Status d. SVC e. T1 s. X.25

m. Port bandwidth of the local loop n. One of the three LMI types other than cisco

and q933a o. LMI provides these updates about Frame

Relay connectivity p. Identifies the frames to be dropped in times of

congestion q. Process used by LMI to associate network

layer addresses to data link layer addresses r. The end of the Frame Relay connection that

initiates requests about the status of its Frame Relay links s. Protocol replaced by Frame Relay

instructor.indb 172

3/12/14 7:51 AM

Chapter 13: Frame Relay

173

Frame Relay Operation Frame Relay networks use permanent virtual circuits (PVCs), which uniquely define a logical path between two endpoints. Frame Relay is a more cost-effective option than leased lines for two reasons: The cost of a leased line includes the cost of a full end-to-end dedicated connection. The cost of Frame Relay includes only the cost to the local loop. Frame Relay shares bandwidth with other customers across the same physical circuit. The end of each PVC uses a number to identify it called the data link connection identifier (DLCI). What does it mean to say that these numbers are locally significant? Locally significant DLCIs means that only the local devices need to know this number. That way, the DLCI number can be reused on other equipment throughout the network. Frame Relay is statistically multiplexed, meaning that it transmits only one frame at a time, but that many logical connections can coexist on a single physical line. In Figure 13-1, label the missing fields in a standard Frame Relay frame. Figure 13-1

Fields of the Standard Frame Relay Frame 8 bits

16 bits

Variable

16 bits

8 bits

Flag

Address

Data

FCS

Flag

C/R EA

EA

Byte 1

Byte 2

Figure 13-1a Fields of the Standard Frame Relay Frame (answer) 8 bits

16 bits

Variable

16 bits

8 bits

Flag

Address

Data

FCS

Flag

DLCI

Byte 1

instructor.indb 173

C/R EA

DLCI

FECN BECN DE

EA

Byte 2

3/12/14 7:51 AM

174


Identify and briefly describe each of the three Frame Relay topologies. Star topology: Also known as a hub-and-spoke topology with a central site connected to branch sites. All branch-to-branch communication is sent through the central (hub) site. Therefore, branch sites are only configured with one VC. Full mesh: Every node is configured with a VC to every other node in the network. However, each node usually only has one physical link to the local Frame Relay switch. Partial mesh: Nodes may have more than one VC configured to remote locations. But all nodes are not configured with all VCs, as in full mesh. This works better for larger networks where a full-mesh topology would be cost prohibitive. A router must know what remote Layer 3 address maps to the locally configured DLCI before it can send data over the link. This mapping can be achieved statically or dynamically. Briefly describe the IPv4 protocol that provides dynamic mapping. Dynamic address mapping relies on Inverse ARP to resolve a next-hop network layer IPv4 address to a local DLCI value. The Frame Relay router sends out Inverse ARP requests on its PVC to discover the protocol address of the remote device connected to the Frame Relay network. On Cisco routers, what must you do to make sure Inverse ARP is operational? Nothing; Inverse ARP is enabled by default. What is the command syntax to disable Inverse ARP? Router(config-if)# no frame-relay inverse-arp

What is the command syntax to override dynamic mapping and statically configure the map? Router(config-if)# frame-relay map protocol protocol-addressdlci [broadcast] [ietf] [cisco]

Why would you use the keyword ietf? Use the keyword ietf when connecting to a non-Cisco router. Why would you use the keyword broadcast? The keyword broadcast allows broadcast and multicast traffic to be sent over the VC, which can greatly simplify the configuration of routing protocols like OSPF. What command can you use to verify Frame Relay maps? show frame-relay map Briefly describe the Local Management Interface (LMI). LMI is an extension of Frame Relay that provides additional capabilities including the ability for DTEs to dynamically acquire information about the status of the network. LMI uses reserved DLCIs in the range from 0 to 1023 to exchange LMI messages between the DTE and DCE. What are the three LMI types supported by Cisco routers? CISCO, ANSI, Q933A With Cisco IOS software release 11.2, the LMI type does not need to be configured because it is autosensed.

instructor.indb 174

3/12/14 7:51 AM


175

In Figure 13-2, RTA and RTB are both configured to use Frame Relay with the IPv4 addressing and DLCIs shown. RTA has just booted up. Fully explain how RTA will dynamically learn the DLCIs from the local Frame Relay switch and then dynamically learn the IPv4 address of RTB. Figure 13-2 Frame Relay Topology

S0/0/0 10.10.10.1/30 RTA

Frame Relay

DLCI 201

S0/0/0 10.10.10.2/30

DLCI 102

RTB

PVC

After booting, RTA will autosense the LMI type used on the local loop. Then RTA will send an LMI status inquiry message to the local Frame Relay switch. The local Frame Relay switch replies to the query with all the VCs configured on the access link. This will include the DLCI 201, which the Frame Relay network has mapped internally to reach RTB. Once RTA has the DLCIs for the access link (only 201 in this example), it sends an Inverse ARP message which is forwarded by the Frame Relay network to RTB. RTB responds to the Inverse ARP message with its IPv4 address. When RTA receives the response from RTB, it will map the local DLCI 201 to the IPv4 address of RTB. From the customer’s point of view, Frame Relay is one interface configured with one or more PVCs. The rate at which data will be accepted by the local Frame Relay switch is contracted. The access rate is the actual speed of the port connected to the service provider. It is not possible to send data any faster. The committed information rate (CIR) is the rate at which the customer can send data into the Frame Relay network. All data at or below this rate is guaranteed. What does the term oversubscription mean in relation to Frame Relay? What problems can it cause? A service provider may decide to oversell an access link on the assumption that everyone that is subscribed on the link will not need to use the link for their full subscription all the time. Traffic will be dropped in situations where a link is oversubscribed and then subsequently overutilized. When the Frame Relay network is underutilized, customers can burst over their CIR at no additional cost. The committed burst size (Bc) is a negotiated rate above the CIR that the customer can use to transmit for short bursts, and represents the maximum allowed traffic under normal working conditions. When sending at a rate higher than the CIR, the Discard Eligibility (DE) bit is set to 1 in every frame so that the Frame Relay network can discard the frame if congestion is occurring. However, when there is congestion on the Frame Relay network, the switch that is experiencing congestion will begin setting the Forward Explicit Congestion Notification (FECN) bit to 1 to inform downstream devices that there is congestion on the network. It will also set the Backward Explicit Congestion Notification (BECN) bit to 1 and send a message to the source to throttle back the speed at which it is sending data. In addition, the Frame Relay switch experiencing congestion will discard every frame that has the DE bit set to 1.

instructor.indb 175

3/12/14 7:51 AM

176


Configure Frame Relay Frame Relay connections are created by configuring customer premise equipment (CPE) routers or other devices to communicate with a service provider Frame Relay switch. The service provider configures the Frame Relay switch, which helps keep end-user configuration tasks to a minimum.

Configure Basic Frame Relay Because so many of the features of Frame Relay are enabled by default, configuration is straightforward. Assuming the interface is correctly addressed, the basic configuration is simply a matter of changing the encapsulation on the interface. In Figure 13-3, RTB is configured and ready to send traffic on the Frame Relay network. Assume RTA is already configured with IPv4 and IPv6 addressing. Record the commands, including the router prompt, to enable Frame Relay. Figure 13-3 S0/0/0 10.10.10.1/30 2001:DB8:1:F::1/64 Link Local: FE80::1 RTA

Frame Relay

S0/0/0 10.10.10.2/30 2001:DB8:1:F::2/64 Link Local: FE80::2

DLCI 201

DLCI 102

RTB

PVC RTA# configure terminal RTA(config)# interface serial 0/0/0 RTA(config-if)# encapsulation frame-relay

Connectivity between RTA and RTB should now be operational for IPv4 traffic. However, in our example, IPv6 requires static mapping. You will need to map both the globally unique and link local IPv6 addresses. Because the link local address is used for multicasts, you will need to add the keyword broadcast to your frame relay map configuration. Record the commands, including the router prompt, to statically configure RTA with IPv6 frame relay maps. RTA(config)# interface s0/0/0 RTA(config-if)# frame-relay map ipv6 2001:db8:1:f::2 201 RTA(config-if)# frame-relay map ipv6 fe80::2 201 broadcast

Record the command used to generate the following output verifying the IPv4 and IPv6 maps. RTA# show frame-relay map Serial0/0/0 (up): ipv6 FE80::2 dlci 201(0xC9,0x3090), static, broadcast, CISCO, status defined, active Serial0/0/0 (up): ipv6 2001:DB8:1:F::2 dlci 201(0xC9,0x3090), static, CISCO, status defined, active Serial0/0/0 (up): ip 10.10.10.2 dlci 201(0xC9,0x3090), dynamic, broadcast, CISCO, status defined, active Packet Tracer Activity

instructor.indb 176

Packet Tracer - Configuring Static Frame Relay Maps (CN 4.2.1.4)

3/12/14 7:51 AM


177

Configure Subinterfaces When configuring a hub-and-spoke topology with Frame Relay, you must create subinterfaces so that each PVC can have its own Layer 3 addressing. In a Frame Relay nonbroadcast multiaccess (NBMA) topology like the one shown in Figure 13-4, this can cause reachability issues without proper configuration. Figure 13-4 Frame Relay NBMA Topology S0/0/0 10.10.10.2/30 DLCI 102 S0/0/0.201 10.10.10.1/30 DLCI 201

RTB Frame Relay NBMA

RTA S0/0/0.301 10.10.10.5/30 DLCI 301

PVC

S0/0/0 10.10.10.6/30 DLCI 103

RTC

Briefly describe the three reachability issues caused by NBMA topologies. Split horizon: This rule states that an update received on a physical interface should not be retransmitted out that same physical interface. Broadcast and multicast replication: Broadcast and multicast traffic must be replicated for each PVC that is configured on the interface. This can consume considerable bandwidth which might impact user traffic if the path already has low bandwidth. Neighbor discovery: In OSPF, the DR/BDR election must result in the hub router as DR because it is the only router that has PVCs to all other routers. What are the three ways to solve these reachability issues? One or more of the following: disable split horizon, build a full mesh topology, configure subinterfaces. In Figure 13-4, RTA is the hub router and RTB and RTC are spokes. Given the information shown in Figure 13-4, record the commands, including the router prompts, to configure RTA with Frame Relay using point-to-point subinterfaces. RTA(config)# interface serial 0/0/0 RTA(config-if)# encapsulation frame-relay RTA(config-if)# no ip address RTA(config-if)# no shutdown RTA(config-if)# exit RTA(config)# interface serial 0/0/0.201 point-to-point RTA(config-subif)# ip address 10.10.10.1 255.255.255.252 RTA(config-subif)# frame-relay interface-dlci 201 RTA(config-fr-dlci)# exit RTA(config-subif)# exit

instructor.indb 177

3/12/14 7:51 AM

178


RTA(config)# interface serial 0/0/0.301 RTA(config-subif)# ip address 10.10.10.5 255.255.255.252 RTA(config-subif)# frame-relay interface-dlci 301 RTA(config-fr-dlci)#

Lab - Configuring Frame Relay and Subinterfaces (CN 4.2.2.7) Packet Tracer Activity

Packet Tracer - Configuring Frame Relay Point-to-Point Subinterfaces (CN 4.2.2.6)

Troubleshoot Connectivity Frame Relay is generally a reliable service. Nonetheless, sometimes the network performs at less-than-expected levels, and troubleshooting is necessary. Record the Frame Relay verification commands that generated the following output: RTA# show frame-relay pvc

PVC Statistics for interface Serial0/0/0 (Frame Relay DTE)

Active

Inactive

Deleted

Static

Local

1

0

0

0

Switched

0

0

0

0

Unused

0

0

0

0

DLCI = 201, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/0/0

input pkts 1

output pkts 1

in bytes 34

out bytes 34

dropped pkts 0

in pkts dropped 0

out pkts dropped 0

out bytes dropped 0

in FECN pkts 0

in BECN pkts 0

out FECN pkts 0

out BECN pkts 0

in DE pkts 0

out DE pkts 0

out bcast pkts 1

out bcast bytes 34

5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec pvc create time 00:02:12, last time pvc status changed 00:01:38 RTA# show frame-relay lmi

LMI Statistics for interface Serial0/0/0 (Frame Relay DTE) LMI TYPE = CISCO

instructor.indb 178

Invalid Unnumbered info 0

Invalid Prot Disc 0

Invalid dummy Call Ref 0

Invalid Msg Type 0

Invalid Status Message 0

Invalid Lock Shift 0

Invalid Information ID 0

Invalid Report IE Len 0

Invalid Report Request 0

Invalid Keep IE Len 0

Num Status Enq. Sent 14

Num Status msgs Rcvd 15

3/12/14 7:51 AM


Num Update Status Rcvd 0

Num Status Timeouts 0

Last Full Status Req 00:00:23

Last Full Status Rcvd 00:00:23

179

RTA# show interface serial 0/0/0 Serial0/0/0 is up, line protocol is up Hardware is WIC MBRD Serial Internet address is 10.10.10.1/30 MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation FRAME-RELAY, loopback not set Keepalive set (10 sec) LMI enq sent

15, LMI stat recvd 16, LMI upd recvd 0, DTE LMI up

LMI enq recvd 0, LMI stat sent LMI DLCI 1023

LMI type is CISCO

0, LMI upd sent

0

frame relay DTE

FR SVC disabled, LAPF state down Broadcast queue 0/64, broadcasts sent/dropped 1/0, interface

RTA# show frame-relay map Serial0/0/0 (up): ip 10.10.10.2 dlci 201(0xC9,0x3090), dynamic, broadcast, CISCO, status defined, active Serial0/0/0 (up): ipv6 2001:DB8:1:F::2 dlci 201(0xC9,0x3090), static, CISCO, status defined, active Serial0/0/0 (up): ipv6 FE80::2 dlci 201(0xC9,0x3090), static, broadcast, CISCO, status defined, active RTA#

In Table 13-1, indicate which command enables you to verify the described information. Some information can be verified with more than one command. Table 13-1

Frame Relay Verification Commands

Frame Relay Information Verified

show interface serial

show framerelay lmi

show framerelay pvc

Broadcast status for the PVC

X

PVC status

instructor.indb 179

X

Number of LMI status queries sent and received

X

Layer 1 and Layer 2 status information

X

LMI type

X

Invalid LMI types

show framerelay map

X

X

X X

3/12/14 7:51 AM

180


Frame Relay Information Verified


instructor.indb 180

show interface serial

show framerelay lmi

show framerelay pvc

Number of ECN packets in and out

X

DLCI assigned to the PVC

X

The encapsulation type

X

Frame Relay DTE/DCE type

X

show framerelay map

X

Packet Tracer - Skills Integration Challenge (CN 4.4.1.2)

3/12/14 7:51 AM

CHAPTER 14

Network Address Translation for IPv4

All public IPv4 addresses that transverse the Internet must be registered with a Regional Internet Registry (RIR). Only the registered holder of a public Internet address can assign that address to a network device. With the proliferation of personal computing and the advent of the World Wide Web, it soon became obvious that 4.3 billion IPv4 addresses would not be enough. The long-term solution was to eventually be IPv6. But for the short term, several solutions were implemented by the IETF, including Network Address Translation (NAT) and RFC 1918 private IPv4 addresses.

NAT Operation There are not enough public IPv4 addresses to assign a unique address to each device connected to the Internet. Networks are commonly implemented using private IPv4 addresses.

NAT Characteristics Fill in the table with the private addresses defined by RFC 1918. Class

Address Range

CIDR Prefix

A

10.0.0.0–10.255.255.255

10.0.0.0/8

B

172.16.0.0–172.31.255.255

172.16.0.0/12

C

192.168.0.0–192.168.255.255

192.168.0.0/16

Briefly explain the following terms:

instructor.indb 181

■

Inside local address: The address of the source as seen from inside the network.

■

Inside global address: The address of source as seen from the outside network.

■

Outside global address: The address of the destination as seen from the outside network. Most often the outside local and outside global addresses are the same.

■

Outside local address: The address of the destination as seen from the inside network. Although uncommon, this address could differ from the globally routable address of the destination.

3/12/14 7:51 AM

182


In Figure 14-1, label each type of NAT address. Figure 14-1

Identify NAT Address Types

203.0.113.11

192.168.51.5 198.51.100.2 WWW

PC1 R1 ISP

192.168.51.1

Web Server

Figure 14-1a Identify NAT Address Types (Answer) 203.0.113.11

192.168.51.5 198.51.100.2 WWW

PC1 R1 ISP

192.168.51.1

Web Server

Outside Local

Outside Global

Inside Global

Inside Local

Types and Benefits of NAT Briefly describe the three types of NAT: ■

Static address translation (static NAT): One-to-one address mapping between local and global addresses.

■

Dynamic address translation (dynamic NAT): Many-to-many address mapping between local and global addresses.

■

Port Address Translation (PAT): Many-to-one address mapping between local and global addresses. This method is also known as overloading (NAT overloading).

When is it appropriate to use static NAT? Static NAT is particularly useful for web servers or devices that must have a consistent address that is accessible from the Internet, such as a company web server. It is also useful for devices that must be accessible by authorized personnel when offsite, but not by the general public on the Internet. What is the difference between dynamic NAT and PAT? Dynamic NAT uses a pool of public addresses and assigns them on a first-come, first-served basis. PAT maps multiple private addresses to one or a few public addresses using the source port number to track connections. List and explain at least three advantages and three disadvantages to using NAT. Advantages

instructor.indb 182

■

Conserves the legally registered addressing scheme

■

Increases the flexibility of connections to the public network

3/12/14 7:51 AM

CHAPTER 14: Network Address Translation for IPv4

■

Provides consistency for internal network addressing schemes

■

Provides network security

183

Disadvantages


■

Performance is degraded.

■

End-to-end functionality is degraded.

■

End-to-end IP traceability is lost.

■

Tunneling becomes more complicated.

■

Initiating TCP connections can be disrupted.

Packet Tracer - Investigating NAT Operation (RSE 11.1.2.6/WAN 5.1.2.6)

Configuring NAT Configuring NAT is straightforward if you follow a few simple steps. Static NAT and dynamic NAT configurations vary slightly. Adding PAT to a dynamic NAT is as simple as adding a keyword to the configuration.

Configuring Static NAT Use the following steps to configure static NAT: Step 1.

Create a map between the inside local IP address and the inside global IP address with the ip nat inside source static local-ip global-ip global configuration command.

Step 2.

Configure the inside interface of the LAN the device is attached to participate in NAT with the ip nat inside interface configuration command.

Step 3.

Configure the outside interface where NAT translation will occur with the ip nat outside interface configuration command.

Refer to the topology in Figure 14-2 to configure static NAT. Figure 14-2 Static NAT Configuration Topology Inside Network

Outside Network S0/0/0

S0/1/0

Internet

R2 Web Server 172.16.1.10 Static NAT Translation

Client 209.165.201.254 http://64.100.10.1

The web server uses an inside local address 172.16.1.10 that needs to be translated to the inside global address 64.100.10.1. Record the command including router prompt to configure the static translation on R2. R2(config)# ip nat inside source static 172.16.1.10 64.100.10.1

instructor.indb 183

3/12/14 7:51 AM

184


Record the commands including router prompt to configure the inside interface. R2(config)# interface Serial0/0/0 R2(config-if)# ip nat inside

Record the commands including router prompt to configure the outside interface. R2(config)# interface Serial0/1/0 R2(config-if)# ip nat outside


Packet Tracer - Configuring Static NAT (RP 11.2.1.4/WAN 5.2.1.4)

Configuring Dynamic NAT Use the following steps to configure dynamic NAT: Step 1.

Define the pool of addresses that will be used for dynamic translation using the ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} global configuration command.

Step 2.

Configure an ACL to specify which inside local addresses will be translated using a standard ACL.

Step 3.

Bind the NAT pool to the ACL with the ip nat inside source list ACL-number pool name global configuration command.

Step 4.

Configure the inside interface of the LAN the device is attached to participate in NAT with the ip nat inside interface configuration command.

Step 5.

Configure the outside interface where NAT translation will occur with the ip nat outside interface configuration command.

Refer to the topology in Figure 14-3 to configure dynamic NAT. Figure 14-3 Dynamic NAT Configuration Topology 172.16.1.0/24 PC1 Outside Network

Inside Network 172.16.1.10 S0/0/0 R1 PC2 172.16.2.10

S0/1/0

Internet

R2 NAT POOL: 64.100.10.0/30

Server

Dynamic NAT

172.16.2.0/24

The pool of available addresses is 64.100.10.0/30. Record the command including router prompt to configure the NAT pool with an appropriate name. R1(config)# ip nat pool NAT 64.100.10.0 64.100.10.3 netmask 255.255.255.252

instructor.indb 184

3/12/14 7:51 AM


185

The two LANs, 172.16.1.0/24 and 172.16.2.0/24, need to be translated. No other addresses are allowed. Record the command including router prompt to configure the ACL. R1(config)# access-list 1 permit 172.16.1.0 0.0.0.255 R1(config)# access-list 1 permit 172.16.2.0 0.0.0.255

Record the command including router prompt to bind the NAT pool to the ACL. R1(config)# ip nat inside source list 1 pool NAT

Record the commands including router prompt to configure the inside interface. R2(config)# interface Serial0/0/0 R2(config-if)# ip nat inside

Record the commands including router prompt to configure the outside interface. R2(config)# interface Serial0/1/0 R2(config-if)# ip nat outside

Lab - Configuring Dynamic and Static NAT (RP 11.2.2.6/WAN 5.2.2.6) Packet Tracer Activity

Packet Tracer - Configuring Dynamic NAT (RP 11.2.2.5/WAN 5.2.2.5)

Configuring Port Address Translation Configuring Port Address Translation (PAT) is just like configuring dynamic NAT except you add the keyword overload to your binding configuration: Router(config)# ip nat inside source list ACL-number pool name overload

However, a more common solution in a small business enterprise network is to simply overload the IP address on the gateway router. In fact, this is what a home router does “out of the box.” To configure NAT to overload the public IP address on an interface, use the following command: Router(config)# ip nat inside source list ACL-number interface type number overload

In this case, of course, there is no pool configuration. Refer to the topology in Figure 14-4 to configure PAT. Figure 14-4 Dynamic NAT Configuration Topology 172.16.1.0/24 PC1 Outside Network

Inside Network 172.16.1.10 S0/0/0 R1

S0/1/0

Internet

R2 Server

PC2 172.16.2.10

64.100.10.1

172.16.2.0/24

instructor.indb 185

3/12/14 7:51 AM

186


R1 is using the public IP address 64.100.10.1 on the Serial 0/1/0 interface. Record the command including router prompt to bind the ACL you configured for dynamic NAT to the Serial 0/1/0 interface. R1(config)# ip nat inside source list 1 interface s0/1/0 overload

That’s it! The rest of the commands are the same as dynamic NAT. However, the process of translating inbound and outbound packets is a bit more involved. PAT maintains a table of inside and outside addresses mapped to port numbers to track connections between the source and destination. The series of Figures 14-5 through 14-8 illustrate the PAT process overloading an interface address. Use the options in Table 14-1 to fill in the source address (SA), destination address (DA), and corresponding port numbers as the packet travels from source to destination and back. Table 14-1

Addresses and Port Numbers

64.100.10.2

192.168.51.5

1268

209.165.201.11

1150

53

192.168.51.1

80

Figure 14-5 Hop 1: PC1 to NAT-Enabled R1 192.168.51.5

192.168.51.1

209.165.201.11

ISP

PC1

Internet

R1 64.100.10.2

Web Server

SA

DA

Source Port

Destination Port

1150

80

Figure 14-5a Hop1: PC1 to NAT-Enabled R1 (Answer) 192.168.51.5

192.168.51.1

209.165.201.11

ISP

PC1

Internet

R1 64.100.10.2

Web Server

instructor.indb 186

SA

DA

192.168.51.5

209.165.201.11

Source Port

Destination Port

1150

80

3/12/14 7:51 AM


187

Figure 14-6 Hop 2: NAT-Enabled R1 to Web Server 192.168.51.5

192.168.51.1

209.165.201.11

ISP

PC1

Internet

R1 64.100.10.2

Web Server

SA

DA

Source Port

Destination Port

1268

Figure 14-6a Hop 2: NAT-Enabled R1 to Web Server (Answer) 192.168.51.5

192.168.51.1

209.165.201.11

ISP

PC1

Internet

R1 64.100.10.2

Web Server

Figure 14-7

SA

DA

64.100.10.2

209.165.201.11

Source Port

Destination Port

1268

80

Hop 3: Web Server to NAT-Enable R1

192.168.51.5

192.168.51.1

209.165.201.11

ISP

PC1

Internet

R1 64.100.10.2

Web Server

instructor.indb 187

SA

DA

Source Port

Destination Port

3/12/14 7:51 AM

188


Figure 14-7a Hop 3: Web Server to NAT-Enable R1 (Answer) 192.168.51.5

192.168.51.1

209.165.201.11

ISP

PC1

Internet

R1 64.100.10.2

Web Server

SA

DA

209.165.201.11

64.100.10.2

Source Port

Destination Port

80

1268

Figure 14-8 Hop 4: NAT-Enabled R1 to PC1 192.168.51.5

192.168.51.1

209.165.201.11

ISP

PC1

Internet

R1 64.100.10.2

Web Server

SA

DA

Source Port

Destination Port

Figure 14-8a Hop 4: NAT-Enabled R1 to PC1 (Answer) 192.168.51.5

192.168.51.1

209.165.201.11

ISP

PC1

Internet

R1 64.100.10.2

Web Server

instructor.indb 188

SA

DA

209.165.201.11

192.168.51.5

Source Port

Destination Port

80

1150

3/12/14 7:51 AM


189

Lab - Configuring NAT Pool Overload and PAT (RP 11.2.3.7/WAN 5.2.3.7) Packet Tracer Activity

Packet Tracer - Implementing Static and Dynamic NAT (RP 11.2.3.6/WAN 5.2.3.6)

A Word About Port Forwarding Because NAT hides internal addresses, peer-to-peer connections work only from the inside out, where NAT can map outgoing requests against incoming replies. The problem is that NAT does not allow requests initiated from the outside. To resolve this problem, you can configure port forwarding to identify specific ports that can be forwarded to inside hosts. The port forwarding configuration is commonly done in a GUI. However, you can also configure port forwarding in the Cisco IOS adding the following command to your NAT configuration: Router(config)# ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable]


Packet Tracer - Configuring Port Forwarding on a Linksys Router (RP 11.2.4.4/WAN 5.2.4.4)

Configuring NAT and IPv6 IPv6 includes both its own IPv6 private address space and NAT, which are implemented differently than they are for IPv4. IPv6 uses a unique local address (ULA) for communication within a local site. In Figure 14-9, label the missing parts of the IPv6 ULA address structure. Figure 14-9 IPv6 Unique Local Address Structure Bits

L

Subnet ID

PseudoRandom Algorithm

EUI-64, Random, or Manual Configuration

1 or 0

instructor.indb 189

3/12/14 7:51 AM

190


Figure 14-9a IPv6 Unique Local Address Structure (Answer) Bits

7

1

40

16

64 /64

Prefix

L

Global ID

PseudoRandom Algorithm

FC00::/7

Subnet ID

Interface ID

EUI-64, Random, or Manual Configuration

1 or 0

ULAs are also known as local IPv6 addresses. Briefly describe three characteristics of ULAs. ■

Allow sites to be combined or privately interconnected, without creating any address conflicts or requiring renumbering of interfaces that use these prefixes

■

Independent of any ISP and can be used for communications within a site without having any Internet connectivity

■

Not routable across the Internet, but if accidentally leaked by routing or DNS, there is no conflict with other addresses

What is the main purpose of NAT for IPv6? To provide a translation mechanism between IPv6 and IPv4 networks Briefly describe the three transition strategies to move from IPv4 to IPv6. Dual stack is when the devices are running protocols associated with both the IPv4 and IPv6. Tunneling for IPV6 is the process of encapsulating an IPv6 packet inside an IPv4 packet. This allows the IPv6 packet to be transmitted over an IPv4-only network. Translation strategies include NAT-PT, which is now replaced with NAT64.

Troubleshooting NAT When there are IPv4 connectivity problems in a NAT environment, it is often difficult to determine the cause of the problem. The first step in solving the problem is to rule out NAT as the cause. Follow these steps to verify that NAT is operating as expected:

instructor.indb 190

Step 1.

Review the purpose of the NAT configuration. Is there a static NAT implementation? Are the addresses in the dynamic pool actually valid? Are the inside and outside interfaces correctly identified?

Step 2.

Verify that correct translations exist in the translation table using the show ip nat translations command.

Step 3.

Use the clear ip nat translations * and debug ip nat commands to verify that NAT is operating as expected. Check to see whether dynamic entries are re-created after they are cleared.

Step 4.

Review in detail what is happening to the packet, and verify that routers have the correct routing information to move the packet.

3/12/14 7:51 AM


191

Lab - Troubleshooting NAT Configurations (RP 11.3.1.5/WAN 5.3.1.5) Packet Tracer Activity

Packet Tracer - Verifying and Troubleshooting NAT Configurations (RP 11.3.1.4/WAN 5.3.1.4) Packet Tracer - Skills Integration Challenge (RP 11.4.1.2/WAN 5.4.1.2)

instructor.indb 191

3/12/14 7:51 AM

instructor.indb 192

3/12/14 7:51 AM

CHAPTER 15

Broadband Solutions

With the advent of broadband technologies like digital subscriber line (DSL) and cable, working from home has become a popular option for both employees and companies alike. Virtual private networks (VPN) allow workers to securely connect to the business from remote locations. There are several factors to consider when choosing a broadband solution. This chapter reviews DLS, cable, wireless, VPN, and the factors to consider when implementing broadband solutions.

instructor.indb 193

3/12/14 7:51 AM

194


Teleworking Teleworking is working away from the traditional workplace by using telecommunication technologies such as broadband and VPN security.

Benefits of Teleworking The groups that benefit from teleworking include employees, employers, local governments, and communities. In Table 15-1, indicate which group primarily receives the benefit described. Table 15-1

Benefits of Teleworking

Benefit

Employer

Improves employee morale

X

Decreases recruitment and retention costs

X

Government/ Community

Reduces local infrastructure costs

X

Attracts local employment and development

X

Individual

Saving time or earning more in the same time

X

Increases available time to care for dependents

X

Reduces absenteeism levels

X

Reduces the impact of urban drift

X

Reduces costs associated with commuting

X

Can reduce regional traffic delays

X

Flexibility to deal with personal tasks Customers experience improved response times

X X

Costs of Teleworking Teleworking does have some costs, as well. List at least two costs from the employer’s perspective and two costs from the employee’s perspective. Employer It may be difficult to keep track of employee progress on work. Managers must use a different management style to oversee teleworkers. Employees Teleworkers can feel isolated working alone. Lack of technology support and services compared to colleagues that are in the office. Teleworking can have its own set of distractions like household chores or leisure pursuits like watching TV.

Business Requirements for Teleworker Services Both the teleworker and the business must meet certain minimum requirements to implement teleworking services for the organization. In Table 15-2, indicate whether the teleworker or the company is responsible for each requirement.

instructor.indb 194

3/12/14 7:51 AM

Chapter 15: Broadband Solutions

Table 15-2

195

Teleworker Services Requirements

Responsibility

Usually uses cable or DSL to access the VPN.

Teleworker

Company

X

Manages VPN authentication procedures. Uses client software for network access.

X X

Determines link aggregation and VPN termination methods. Uses network access while traveling.

X X

Maintains VPN concentrators and security appliances.

X

Comparing Broadband Solutions Depending on the location of the teleworker, connecting to the corporate network can be done in one of three ways: cable, DSL, or broadband wireless.

Cable Cable broadband uses a coaxial cable that carries radio frequency (RF) signals across the network. What portion of the electromagnetic spectrum do these signals occupy? Radio frequencies occur between 1 KHz and 1 THz on the electromagnetic spectrum. Traditionally, cable communications was one way. Modern cable systems now provide two-way communication. What three main telecommunication services are offered by today’s cable companies? Cable companies now offer digital cable TV, residential phone service, and high-speed Internet access. Two-way communications occurs downstream in the 50- to 860-MHz range and upstream in the 5- to 42-MHz range. The Data-over-Cable Service Interface Specification (DOCSIS) is the international standard developed by CableLabs that cable operators use to provide Internet access over their existing hybrid fiber-coaxial (HFC) infrastructure. What two types of equipment are required to send digital modem signals upstream and downstream on a cable system? Cable Modem Termination System (CMTS) at the headend of the cable operator Cable Modem (CM) on the subscriber end

instructor.indb 195

3/12/14 7:51 AM

196


Match the definition on the left with a term on the right. Terms are only used once. Definitions a. Combining both fiber-optic and coax cabling

together into a hybrid cabling infrastructure b. Defines the communications and operation

support interface that permits the addition of high-speed data transfer to a traditional cable TV system c. The direction of a signal transmission from

Terms d. CMTS b. DOCSIS c. Downstream e. Frequency a. HFC f. Upstream

the headend to subscribers d. Located in the headend (and communicates

with CMs located in subscriber homes) e. The rate at which current (voltage) cycles

(computed as the number of waves per second) f. The direction of a signal transmission from

subscribers to the headend

instructor.indb 196

3/12/14 7:51 AM


197

DSL Digital subscriber line (DSL) technology takes advantage of the additional bandwidth available in telephone networks between 3 KHz and 1 MHz. Briefly describe the two main types of DSL. Asymmetric DSL (ADSL) provides higher downstream bandwidth than upload speed. Symmetric DSL (SDSL) provides the same bandwidth in both directions. The local loop connection to the CO must be less than 3.39 miles (5.46 km). What two components are required to provide a DSL connection to the teleworker? Equipment required includes a transceiver (DSL modem), which connects the teleworker’s network to the DSL network and a DSL access multiplexer (DSLAM) located at the CO to combine individual DSL subscribers into one link to an ISP. The analog voice and ADSL signals must be separated to avoid interference. What two devices can separate the signals? There are two ways to separate ADSL from voice at the customer premises: using a microfilter or using a splitter.

instructor.indb 197

3/12/14 7:51 AM

198


Match the definition on the left with a term on the right. Terms are only used once. Definitions a. Located at the CO, a device that combines

individual DSL connections from subscribers into one high-capacity link to an ISP b. Sometimes referred to as the DSL modem,

a device that connects the subscriber to the DSL network c. The category of DSL technology that provides

Terms c. ADSL f. DSL a. DSLAM d. Microfilter e. SDSL b. Transceiver

high-speed downstream data capacity value with a lower upstream capacity value d. Device with one end connecting to a tele-

phone device and the other end connecting to the telephony wall jack e. Category of DSL technology that provides

equal high-speed downstream and upstream data capacities f. A means of providing high-speed connections

over pre-existing installed copper wire infrastructure

instructor.indb 198

3/12/14 7:51 AM


199

Broadband Wireless Of the three broadband technologies, wireless offers the largest variety of ways to connect. Whether from your laptop or from a smartphone, urban or rural, broadband wireless has a solution. Match the definition on the left with a term on the right. Terms are only used once. Definitions a. Uses a point-to-multipoint topology to pro-

vide wireless cellular broadband access at speeds up to 1 Gbps b. Newer and faster technology for high-speed

cellular data (considered to be part of 4G) c. Cellular broadband access that gets faster with

each generation

Terms c. 3G/4G Wireless b. LTE d. Municipal WiFi f. VSAT a. WiMAX e. Wireless Internet

d. Employs a mesh network with an access

points at each node for 802.11 connections e. A general term for Internet service from a

mobile phone or any other mobile device that uses the same technology f. Two-way satellite Internet using IP multicast-

ing technology

instructor.indb 199

3/12/14 7:51 AM

200


Selecting Broadband Solutions Ideally, a teleworker would have a fiber-optic cable directly connected to the home office. When selecting the broadband solution that is right for you, you want to consider several factors. In Table 15-3, indicate the factors for each broadband solution. Table 15-3

Broadband Solutions: Factors to Consider

Factor to Consider

Cable

DSL

Requires fiber installation directly to the home.

Fiberto-theHome

Cellular/ Mobile

Wi-Fi Mesh

X

Coverage is often an issue, bandwidth is limited, and data may not be unlimited.

X

Bit rate is limited to 2 Mbps per subscriber, cell size is 1 to 2 km (1.25 mi). Bandwidth is shared by many users, and upstream data rates are often slow. Limited bandwidth that is distance sensitive, and the upstream rate is proportionally quite small compared to downstream rate.

WiMAX Satellite

X

X

X

Expensive, limited capacity per subscriber; often provides access where no other access is possible. Most municipalities do not have a mesh network deployed; if it is available and the SOHO is in range, it is a viable option.

X

X

Configuring xDSL Connectivity The underlying data-link protocol commonly used by Internet service providers (ISPs) to send and receive data across DSL links is PPP over Ethernet (PPPoE).

PPPoE Overview For the ISP, what are the benefits of using PPP? PPP supports the ability to assign IP addresses to the remote end of the link. PPP with CHAP authentication allows the ISP to check the customer’s records to make sure that the bill is paid.

instructor.indb 200

3/12/14 7:51 AM


201

What are the three stages of evolution in teleworker connections from the home that use PPP? First there was analog dialup, which was later replaced with ISDN, which was then replaced by DSL.

Configuring PPPoE Although PPPoE configuration is beyond the scope of the course, understanding how PPPoE is implemented will help solidify your skills in configuring PPP. The two steps to configure PPPoE are as follows: Step 1.

Create a PPP tunnel using dialer interface with the following settings: ■

Encapsulation is PPP.

■

IP address is negotiated.

■

MTU size is set to 1492. Why?

To allow for the additional 8-byte PPP header, the MTU is reduced from the maximum Ethernet size of 1500 bytes to 1492.

Step 2.

■

Dialer interface is assigned a pool.

■

CHAP authentication with username and password assigned by ISP.

Enable PPPoE on the interface attached to the DSL modem and assign it as a PPPoE client using the dialer pool defined in Step 1.

You can verify the dialer interface was assigned an IP address with the show ip interface brief command. In Figure 15-1, the ISP router is already configured. Record the commands to configure the Customer router using the following CHAP information: Figure 15-1

PPPoE Configuration Topology

Internet G0/0

G0/0

Customer

ISP DSL Modem

■

Username is CustomerBob.

■

Password is Bob$connect.

DSLAM

Customer(config)# interface dialer 1 Customer(config-if)# ip address negotiated Customer(config-if)# encapsulation ppp Customer(config-if)# ip mtu 1492 Customer(config-if)# dialer pool 1

instructor.indb 201

3/12/14 7:51 AM

202


Customer(config-if)# ppp chap hostname CustomerBob Customer(config-if)# ppp chap password Bob$connect Customer(config-if)# no shutdown Customer(config-if)# interface g0/0 Customer(config-if)# no ip address Customer(config-if)# pppoe enable Customer(config-if)# pppoe-client dial-pool-number 1 Customer(config-if)# no shutdown

If you want to configure this on lab equipment, connect two routers through a switch or with a crossover cable and use the following configuration for ISP: username CustomerBob password Bob$connect ! bba-group pppoe global virtual-template 1 ! interface GigabitEthernet0/0 no ip address pppoe enable group global no shutdown ! interface Virtual-Template1 mtu 1492 ip address 64.100.1.254 255.255.255.0 peer default ip address pool CUSTOMER_POOL ppp authentication chap callin ! ip local pool CUSTOMER_POOL 64.100.1.1 64.100.1.253

Lab - Configuring a Router as a PPPoE Client for DSL Connectivity (CN 6.3.2.3)

instructor.indb 202

3/12/14 7:51 AM

CHAPTER 16

Securing Site-to-Site Connectivity

Up to this point in our WAN discussions, we have covered access options, including leased lines, Frame Relay, cable, digital subscriber line (DSL), and wireless. Now it is time to turn our attention toward a popular solution for linking two sites or a teleworker to the corporate office. With the use of generic routing encapsulation (GRE) and IP security (IPsec), virtual private networks (VPNs) play an important role in today’s network implementations.

instructor.indb 203

3/12/14 7:51 AM

204


VPNs With the proper implementation at that central site, VPNs provide the flexibility of having safe and secure connections regardless of the underlying access technology. This is increasingly important as more users need or want access to their corporate networks no matter their current location.

Fundamentals of VPNs VPNs are used to create a private tunnel over the Internet regardless of the WAN access option used to make the connection. Briefly describe three different scenarios in which VPNs are a viable solution. VPNs are ideal for connecting teleworkers, remote/branch offices, and business partners to the corporate network at the central site. What is the difference between VPN and secure VPN? Secure VPNs are implemented with data encryption using IPsec. To implement a VPN, a VPN gateway is needed. List three devices can serve as a VPN gateway. A router, a firewall, and Cisco’s Adaptive Security Appliance (ASA) can all serve as VPN gateways. Briefly describe four benefits to using VPNs. Cost savings: VPNs allow organizations to replace expensive dedicated WAN links or modem banks by using Internet connections to connect end users. Scalability: It is easy to add branches, partners, or users because ISP choices can be made locally. Compatibility with broadband technology: Home, branch, and mobile workers can take advantage of whatever broadband technology they are using to connect to the Internet. Security: VPNs use advanced encryption technology to secure data as it travels across the Internet.

Types of VPNs There are two main types of VPN networks. Site-to-site VPNs support connections where the two locations are permanent and contain more than one user. For example, a branch site or a business partner site most likely would benefit from a site-to-site VPN. Remote-access VPNs are best used for single user connection needs such as teleworkers and mobile users. In Table 16-1, indicate the type of VPN described by each characteristic. Table 16-1

Comparing Site-to-Site and Remote-Access VPNs

Characteristic

Remote-Access VPNs

VPN is dynamically enabled when needed.

X

Most likely uses VPN client software to establish VPN connection and encrypt data.

X

Users have no knowledge of the VPN.

instructor.indb 204

Site-to-Site VPN

X

3/12/14 7:51 AM

Chapter 16: Securing Site-to-Site Connectivity

Characteristic

Site-to-Site VPN

Connects networks together through peer VPN gateways.

Remote-Access VPNs

X

Uses a client/server model.

X

Connects teleworkers and mobile users.

X

VPN connection is static.


205

X

Packet Tracer - Configuring VPNs (Optional) (CN 7.1.2.4)

Site-to-Site GRE Tunnels Generic routing encapsulation (GRE) is a site-to-site VPN tunneling protocol developed by Cisco. GRE can encapsulate a wide variety of protocol packet types inside IP tunnels.

Fundamentals of Generic Routing Encapsulation List three protocols that GRE can encapsulate. IPv4, IPv6, AppleTalk, DECnet, or IPX Figure 16-1 shows the basic fields in a GRE encapsulated packet. Figure 16-1

GRE Encapsulated Packet

IP

GRE

IP

TCP

Data

Figure 16-2 shows the topology we will use to configure GRE later in this section. Notice how the protocol packet, IP, is encapsulated with GRE, then encapsulated in an IP packet for transport across the Internet. The inside IP packet is using private addressing and the outside IP packet is using public addressing. Note: The public addressing is on the same subnet. This is uncommon on real networks. However, we are doing it here so that you can easily attach to routers and use this configuration for practice. Figure 16-2 GRE Topology 64.100.1.2/30 S0/0/0 PC1

G0/0

Tunnel RTB

10.10.2.10/24

64.100.1.1/30 S0/0/0

G0/0

10.1.1.2/30 Tunnel1

10.1.1.0/30

10.1.1.2/30 Tunnel1

RTA IPv4

10.10.1.10/24

Original Packet

IP Header

instructor.indb 205

GRE Header

Payload Packet

3/12/14 7:51 AM

206


GRE is defined by IETF RFC 2784. In the outer IP header, 47 is used in the Protocol field to indicate that a GRE header follows. In the GRE header, a Protocol Type field specifies the OSI Layer 3 protocol that is encapsulated (IP in Figure 16-2). GRE is stateless, meaning that it does not include any flow-control mechanisms. Also, GRE does not include any security mechanisms to protect the payload. The GRE header and additional IP header creates at least 24 bytes of additional overhead for tunneled packets.

Configuring GRE Tunnels In Figure 16-2 shown earlier, assume the physical interfaces on RTA and RTB are configured and active. Also assume that RTA is already configured with a GRE tunnel and OSPF routing. To configure GRE on RTB, complete the following steps: Step 1.

Create a tunnel interface using the interface tunnel number command. The interface numbers do not have to match between RTA and RTB.

Step 2.

Configure an IP address for the tunnel interface. The two routers on the tunnel should use addresses from the same subnet. In our topology, the subnet is 10.1.1.0/30.

Step 3.

Specify the tunnel’s source IP address in the public part of the network with the tunnel source ip-address command. The IP address must match the other side’s configuration for tunnel destination ip-address. For RTB, this address is the 64.100.1.2 IP address configured on its S0/0/0 interface.

Step 4.

Specify the tunnel’s destination IP address in the public part of the network with the tunnel destination ip-address command. The IP address must match the other side’s tunnel source ip-address. For RTB, this address is the 64.100.1.1 IP address configured on RTA’s S0/0/0.

Step 5.

Configure routing to use the tunnel to advertise the private LANs at each site. Note: These steps do not include configuring the tunnel mode command because the default, GRE IP, is what is needed here. However, in the future, the GRE tunnel will most likely be IPv6.

Using these steps, record the commands including the router prompt to configure RTB with a GRE tunnel to RTA. RTB(config)# interface tunnel 1 RTB(config-if)# ip address 10.1.1.2 255.255.255.252 RTB(config-if)# tunnel source 64.100.1.2 RTB(config-if)# tunnel destination 64.100.1.1 RTB(config-if)# router ospf 1 RTB(config-router)# network 10.10.2.0 0.0.0.255 area 0 RTB(config-router)# network 10.1.1.0 0.0.0.3 area 0

A number of commands can be used to verify the GRE tunnel is operational. Of course, the ultimate test is that PC1 should now be able to ping the server attached to the RTA LAN. If connectivity fails, use the following commands to troubleshoot the issue.

instructor.indb 206

3/12/14 7:51 AM


207

Record the commands and command filtering used to generate the following output. RTB# show ip ospf neighbor

Neighbor ID

State

0

FULL/

64.100.1.1

Pri

-

Dead Time

Address

Interface

00:00:34

10.1.1.1

Tunnel1

RTB# show ip interface brief | include Tunnel Tunnel1

10.1.1.2

YES manual up

up

RTB# show ip route ospf | begin Gateway Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks O

10.10.1.0/24 [110/1001] via 10.1.1.1, 00:23:49, Tunnel1

RTB# show interface Tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel Internet address is 10.1.1.2/30 MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 64.100.1.2, destination 64.100.1.1 Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255, Fast tunneling enabled Tunnel transport MTU 1476 bytes RTB#

In the output from the last command shown, why is the maximum transmission unit (MTU) set at 1476 bytes? The overhead for GRE is 24 bytes, which limits the encapsulated packet from the normal 1500 bytes to 1476 bytes. Lab - Configuring a Point-to-Point GRE VPN Tunnel (CN 7.2.2.5)


instructor.indb 207

Packet Tracer - Configuring GRE (CN 7.2.2.3) Packet Tracer - Troubleshooting GRE (CN 7.2.2.4)

3/12/14 7:51 AM

208


Introducing IPsec Although GRE is excellent for creating a tunnel across the Internet, it does not include any kind of security. This section reviews basic IPsec concepts. IPsec configuration is not a CCNA Routing and Switching exam topic. So, any practice you do is purely optional.

Internet Protocol Security RFC 4301, Security Architecture for the Internet Protocol, defines IP security, or simply IPsec. Briefly describe each of the four critical functions of IPsec security services. ■

Confidentiality (encryption): IPsec provides strong algorithms used to encrypt the data before it is sent across the VPN tunnel.

■

Data integrity: When data is received on the other end of the tunnel, IPsec has uses a hash to ensure that the packet has not been changed.

■

Authentication: IPsec uses Internet Key Exchange (IKE) to authenticate that the connection is made with the desired communication partner.

■

Anti-replay protection: This is the ability to detect and reject replayed packets and helps prevent spoofing. Late and duplicate packets are dropped.

IPsec Framework Encryption protects data confidentiality and integrity. Authentication ensures that the sender and receiver actually know and trust each other. Encryption What two factors impact the degree of confidentiality in an encryption algorithm? The shorter a key used in the encryption, the easier it is to hack. Therefore, longer keys (such as 256-bit) provide stronger encryption and data confidentiality. In addition, the sophistication of the algorithm impacts confidentiality. What is the main difference between symmetric and asymmetric encryption? In symmetric encryption, the source and destination use a pre-shared key, whereas in asymmetric encryption, the source and the destination use two different keys. In what scenarios are symmetric and asymmetric encryption used? Symmetric encryption is commonly used to encrypt the contents of a message, and asymmetric encryption is commonly used for digital certificates. What is the main purpose of the Diffie-Hellman (DH) algorithm? DH is a method for two parties to establish a shared secret key that will be used by encryption and hash algorithms. Hash-based Message Authentication Code (HMAC) is a mechanism for message authentication using hash functions. A keyed HMAC is a data integrity algorithm that guarantees the integrity of a message. What are the two common HMAC algorithms? MD5 and SHA

instructor.indb 208

3/12/14 7:51 AM


209

Briefly describe the operation of an HMAC algorithm. A shared secret key and variable-length message are combined and run through the algorithm. The result is a hash that is appended to the original message. The receiving end reverses the process to decrypt the variable-length message. Authentication Encryption is crucial, as we have seen. However, a VPN tunnel must also authenticate the device on the other end before the path can be considered secure. Briefly describe the two main peer authentication methods. ■

PSK: A secret key that is shared between the two parties using a secure channel before it needs to be used. It is manually configured and used to authenticate at each end.

■

RSA signatures: Digital certificates are obtained from a certificate authority and then are exchanged to authenticate peers.

Figure 16-3 is a depiction of the IPsec framework with all the possible algorithm choices for each piece in the framework. Figure 16-3 IPsec Framework IPsec Framework Choices

IPsec Protocol

AH

Confidentiality

ESP

ESP + AH

DES

3DES

AES

DH5

DH...

Integrity

MD5

SHA

Authentication

PSK

RSA

Diffie-Hellman

DH1

DH2

SEAL

Briefly describe each of the following: IPsec framework protocol: The protocol used to encapsulate the full packet. Most likely, the Encapsulating Security Payload (ESP) is used. Confidentiality: The selection of an encryption algorithm to encrypt and decrypt the original message. Integrity: A hash algorithm is used to guarantee that the data has not been altered in transit. Authentication: A method is used to authenticate the two ends of a tunnel, either PSK or RSA. DH algorithm: The method in which a shared secret key is established between peers.

instructor.indb 209

3/12/14 7:51 AM

210



Packet Tracer - Configuring GRE over IPsec (Optional) (CN 7.3.2.8)

Remote Access As discussed earlier in this chapter, VPNs are an ideal remote-access solution for many reasons. Secure communications can easily be implemented, scaled, and tailored to the access rights of the individual. This section briefly reviews types of remote-access VPN solutions.

Remote-Access VPN Solutions What are the two primary methods for deploying remote-access VPNs? IPsec and SSL List three benefits or features of Cisco SSL VPN solutions. Web-based, clientless access, and complete network access without preinstalled desktop software Protection against viruses, worms, spyware, and hackers on a VPN connection by integrating network and endpoint security in the Cisco SSL VPN platform Use of a single device for both SSL VPN and IPsec VPN In Table 16-2, label the two columns with the Cisco SSL VPN solution that is best described by the statements. Table 16-2

Cisco SSL VPN Solutions

Cisco SSL VPN Solution Description

Cisco AnyConnect Secure Mobility Client with SSL

Non-corporate-managed devices are provided VPN remote access

X

Provides access to corporate resources for devices that are not managed by the corporation

X

Provides clients with a LAN-like full network access

X

Remote users establish the SSL session using a web browser

X

A client application must be installed on the end-user device

X

Requires a standalone application be installed on the end-user device

X

Access to services is limited to browser-based file-sharing resources

instructor.indb 210

Cisco Secure Mobility Clientless SSL

X

3/12/14 7:51 AM


211

IPsec Remote-Access VPNs The Cisco Easy VPN solution feature offers flexibility, scalability, and ease of use for both site-to-site and remote-access IPsec VPNs. The Cisco Easy VPN solution consists of three components. Label each based on the following descriptions. ■

Cisco Easy VPN Remote: A Cisco IOS router or Cisco ASA firewall acting as a VPN client

■

Cisco VPN Client: An application supported on a PC used to access a Cisco VPN server

■

Cisco Easy VPN Server: A Cisco IOS router or Cisco ASA Firewall acting as the VPN headend device in site-to-site or remote-access VPNs

IPsec exceeds SSL in many ways. In Table 16-3, indicate whether the characteristic belongs to SSL or IPsec. Table 16-3

Comparing SSL and IPsec

Characteristic

40- to 256-bit key-length encryption.

SSL

Access to all IP-based applications. X

One- or two-way authentication.

X

Specifically configured devices can connect.

X

Shared secrets or digital certificates for authentication.

X

56 to 256-bit, key-length encryption.

instructor.indb 211

X

Any device can connect.

Web applications and file sharing.


IPsec

X

X X

Packet Tracer - Skills Integration Challenge (CN 7.5.1.2)

3/12/14 7:51 AM

instructor.indb 212

3/12/14 7:51 AM

CHAPTER 17

Monitoring the Network

Most of your CCNA studies have focused on implementing networking technologies. But what if there is currently no design or implementation to do in your job as network administrator? What if the network is already up and running? Then chances are you will be responsible for monitoring the network. Over the years, several tools have evolved to help you do just that. This chapter focuses on three popular monitoring tools: Syslog, Simple Network Management Protocol (SNMP), and NetFlow.

instructor.indb 213

3/12/14 7:51 AM

214


Syslog The most common method of accessing system messages that networking devices provide is to use a protocol called syslog.

Syslog Operation Developed in the 1980s and documented as RFC 3164, syslog used UDP port 514 to send notifications across IP networks to a syslog server. Briefly describe the three main syslog functions. ■

Gathers logging information for monitoring and troubleshooting

■

Can be configured to select the type of logging information that is captured

■

Can be configured to send captured syslog messages to a destination IP address

List the four destinations these messages can be sent to. ■

RAM (logging buffer)

■

Console line

■

Terminal line

■

Syslog server

Because you have configured many routers by now, one of the more common messages you have seen is the interface “up” and “up” message, as shown in Example 17-1. Example 17-1

Syslog Message: Interface Is “Up” and “Up”

000039: *Nov 13 15:20:39.999: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up 000040: *Nov 13 15:20:40.999: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up

In Table 17-1, use the second line of output from Example 17-1 to provide an example of each field in the syslog message format. Table 17-1

Syslog Message Format

Field

Example

Sequence Number

000040:

Timestamp

*Nov 13 15:20:40.999:

Facility

%LINEPROTO

Severity

5

Mnemonic

UPDOWN

Description

Line protocol on Interface GigabitEthernet0/0, changed state to up

By default, the Sequence Number field is not shown. Record the command, including the router prompt, to add this field to syslog messages. Router(config)# service sequence-numbers

instructor.indb 214

3/12/14 7:51 AM

Chapter 17: Monitoring the Network

215

What are the two different methods to make sure the timestamp is accurate? Manually set the date and time using the clock command. Configure the router to get its date and time from an NTP server using the ntp server ip-address command.

Configuring Syslog Using the topology and addressing shown in Figure 17-1, record the commands including the router prompt to configure the logging service on RTA with the following requirements: ■

All logging messages should be sent to the console and to the buffer as well as the syslog server.

■

Only log messages with severity 5 or lower.

■

The source interface for logged messages should always be the G0/0 interface.

Figure 17-1

Syslog Configuration Topology G0/0 Syslog Server

RTA 10.10.10.1

10.10.10.10

RTA# configure terminal RTA(config)# logging console RTA(config)# logging buffer RTA(config)# logging 10.10.10.10 RTA(config)# logging trap 5 RTA(config)# logging source interface g0/0

What command will display the messages logged to RAM? RTA# show logging

Lab - Configuring Syslog and NTP (CN 8.1.2.6) Packet Tracer Activity

Packet Tracer - Configuring Syslog and NTP (CN 8.1.2.5)

SNMP SNMP began with a series of three RFCs back in 1988 (1065, 1066, and 1067). The SNMP name is derived from RFC 1067, A Simple Network Management Protocol. Since then, SNMP has undergone several revisions.

SNMP Operation SNMP is an application layer protocol that provides a standardized way of communicating information between SNMP agents and SNMP managers using UDP port 162. The SNMP manager is part of a network management system (NMS). The SNMP manager can collect

instructor.indb 215

3/12/14 7:51 AM

216


information from agents using “get” messages. Each agent stores data about the device in the Management Information Base (MIB) locally so that it is ready to respond to these messages from the NMS. Agents can also be configured to forward directly to the NMS using “trap” messages. In Table 17-2, indicate the SNMP message type for each of the descriptions provided. Table 17-2

SNMP Message Type

Operation

Description

get-request

Retrieves a value from a specific variable.

get-next-request

Retrieves a value from a variable within a table. The SNMP manager does not need to know the exact variable name; a sequential search is performed to find the needed variable from within a table.

get-bulk-request

Retrieves large blocks of data, such as multiple rows in a table; only works with SNMPv2 or later.

get-response

Replies to messages sent by an NMS.

set-request

Stores a value in a specific variable.

trap

An unsolicited message sent by an SNMP agent to an SNMP manager when some event has occurred.

Although SNMPv1 is legacy, Cisco IOS supports all three versions. All versions of SNMP use SNMP managers, agents, and MIBs. In today’s networks, you will most likely encounter SNMPv3 or SNMPv2c. In Table 17-3, indicate whether the SNMP characteristic applies to SNMPv2c, SNMPv3, or both. Table 17-3

Comparing SNMPv2c and SNMPv3

Characteristic

SNMPv2c

Used for interoperability and includes message integrity

SNMPv3

X

Provides services for security models Uses community-based forms of security

X X

Includes expanded error codes with types

X

Provides services for both security models and security levels

X

Authenticates the source of management messages

X

Cannot provide encrypted management messages

Both

X

Supported by Cisco IOS software

X

In SNMPv1 and SNMPv2c, access to the MIB is controlled through the use of two types of community strings: ■

Read-only(ro): Access to MIB variables but no changes allowed

■

Read-write(rw): Access and manipulation of MIB variables allowed

Why is this type of access no longer considered best practice? Community strings are sent in plain text across the network. They are easy to intercept, read, alter, and resend. The MIB defines a variable using a MIB object ID. These IDs are derived hierarchically using the scheme shown in Figure 17-2. Label Figure 17-2 with the most common public variables.

instructor.indb 216

3/12/14 7:51 AM


Figure 17-2

217

Management Information Base Object ID Scheme

cisco (9).

local variables (2).

cisco mgmt (9).

interface group (2).

cisco flash group (10).

Management Information Base Object ID Scheme (answer) iso (1).

org (3).

dod (6).

internet (1).

private (4).

enterprises (1).

cisco (9).

instructor.indb 217

local variables (2).

cisco mgmt (9).

interface group (2).

cisco flash group (10).

3/12/14 7:51 AM

218


Lab - Researching Network Monitoring Software (CN 8.2.1.8)

Configuring SNMP In Figure 17-3, RTA is an SNMP agent and NMS is an SNMP manager. Record the commands to configure SNMPv2 on RTA with the following requirements: ■

Use an ACL to allow NMS read-only access to the router using community string NMS_eyesonly.

■

Location is Aloha_Net and the contact is Bob Metcalfe.

■

Specify that 10.10.10.10 is the recipient of traps and explicitly configure the router to send traps.

Figure 17-3

SNMP Configuration Topology Gets G0/0

NMS

RTA 10.10.10.10

10.10.10.1 Traps

RTA(config)# ip access-list standard SNMP RTA(config-std-nacl)# permit 10.10.10.10 RTA(config-std-nacl)# exit RTA(config)# snmp-server community NMS_eyesonly ro SNMP RTA(config)# snmp-server location Aloha_Net RTA(config)# snmp-server contact Bob Metcalfe RTA(config)# snmp-server host 10.10.10.10 version 2c NMS_eyesonly RTA(config)# snmp-server enable traps

Record the commands that generate the SNMP verification output for RTA shown in Example 17-2. Example 17-2

SNMP Verification Commands

RTA# show snmp Chassis: FTX163283RZ Contact: Bob Metcalfe Location: Aloha_Net 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables

instructor.indb 218

3/12/14 7:51 AM


219

0 Get-request PDUs 0 Get-next PDUs 0 Set-request PDUs 0 Input queue packet drops (Maximum queue size 1000) 0 SNMP packets output 0 Too big errors (Maximum packet size 1500) 0 No such name errors 0 Bad values errors 0 General errors 0 Response PDUs 0 Trap PDUs SNMP Dispatcher: queue 0/75 (current/max), 0 dropped SNMP Engine: queue 0/1000 (current/max), 0 dropped

SNMP logging: enabled Logging to 10.10.10.10.162, 0/10, 0 sent, 0 dropped.

RTA# show snmp community

Community name: ILMI Community Index: cisco0 Community SecurityName: ILMI storage-type: read-only

active

Community name: NMS_eyesonly Community Index: cisco1 Community SecurityName: NMS_eyesonly storage-type: nonvolatile

active access-list: SNMP

Community name: NMS_eyesonly@1 Community Index: cisco2 Community SecurityName: NMS_eyesonly@1 storage-type: nonvolatile

active access-list: SNMP

NetFlow Although syslog and SNMP are powerful tools for collecting information about networking devices, owners of networks were looking for a tool to measure TCP/IP flows. So, Cisco engineers developed NetFlow, which quickly gained popularity in the marketplace.

instructor.indb 219

3/12/14 7:51 AM

220


NetFlow Operation What is the latest version of NetFlow called? Flexible NetFlow What improvements does it make over the original version? Flexible NetFlow adds the capability to customize the traffic analysis parameters for the specific requirements of a network administrator. Briefly describe four reasons to use NetFlow. ■

Measuring who is using what network resources for what purpose

■

Accounting and charging back according to the resource utilization level

■

Using the measured information to do more effective network planning so that resource allocation and deployment is well aligned with customer requirements

■

Using the information to better structure and customize the set of available applications and services to meet user needs and customer service requirements

NetFlow is not a replacement for SNMP. Both have their purposes in network monitoring. In Table 17-4, indicate whether the characteristic describes SNMP or NetFlow. Table 17-4

Comparing SNMP and NetFlow

Characteristics

SNMP

Agents can send traps to a network management system when defined events occur.

X

Access to the MIB is controlled through community string settings.

X

NetFlow

An external server (collector) is used to record IP network monitored cache changes.

X

Interface errors, CPU usage, and memory usage are not recorded.

X

A Management Information Base (MIB) is used to record network monitored events.

X

Collects IP data to record who used network resources and for what purpose those resources were used.

X

Define a TCP/IP flow. A flow is a unidirectional stream of packets between a source and a destination. What fields in a packet are used to determine that the packet is from a different flow? Source IP address, destination IP address, source port number, destination port number, Layer 3 protocol type, ToS marking, and input logical interface

Configuring NetFlow To implement NetFlow on a router, complete the following steps:

instructor.indb 220

Step 1.

Configure NetFlow to capture inbound and outbound packets.

Step 2.

Configure where to send NetFlow data.

Step 3.

Verify NetFlow is operational.

3/12/14 7:51 AM


221

Using Figure 17-4 as a reference, record the commands configure RTA to capture and send NetFlow data from interface G0/0 to the collector using Version 9. Figure 17-4

NetFlow Configuration Topology NetFlow Collector G0/0 RTA 10.10.10.1

10.10.10.10

RTA(config)# interface g0/0 RTA(config-if)# ip flow ingress RTA(config-if)# ip flow egress RTA(config-if)# exit RTA(config)# ip flow-export destination 10.10.10.10 2055 RTA(config)# ip flow-export version 9

Record the commands that generated the NetFlow verification output on RTA shown in Example 17-3. Example 17-3

NetFlow Verification

RTA# show ip flow interface GigabitEthernet0/0 ip flow ingress ip flow egress RTA# show ip cache flow IP packet size distribution (132959 total packets): 1-32

64

96

128

160

192

224

256

288

320

352

384

416

448

480

.998 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

512

544

576 1024 1536 2048 2560 3072 3584 4096 4608

.000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes 1 active, 4095 inactive, 32 added 728 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 34056 bytes 1 active, 1023 inactive, 28 added, 28 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never

instructor.indb 221

3/12/14 7:51 AM

222


Protocol

Total

Flows

Packets Bytes

--------

Flows

/Sec

/Flow

UDP-other

13

0.0

ICMP

18

0.0

Total:

31

0.0

Packets Active(Sec) Idle(Sec)

/Pkt

/Sec

/Flow

/Flow

10225

32

37.4

17.6

15.5

1

181

0.0

0.1

15.0

4288

32

37.4

7.5

15.2

SrcIf

SrcIPaddress

DstIf

DstIPaddress

Pr SrcP DstP

Pkts

SrcIf

SrcIPaddress

DstIf

DstIPaddress

Pr SrcP DstP

Pkts

Gi0/0

10.10.10.10

Local

10.10.10.1

01 0000 0303

1

RTA# show ip flow export Flow export v9 is enabled for main cache Export source and destination details : VRF ID : Default Destination(1)

10.10.10.10 (2055)

Version 9 flow records 63 flows exported in 29 udp datagrams 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures

Lab - Collecting and Analyzing NetFlow Data (CN 8.3.3.3)

instructor.indb 222

3/12/14 7:51 AM

CHAPTER 18


In an ideal world, networks would never fail. But mechanical failures happen. Users of the network do unexpected things. So, issues will arise that require a network administrator’s effective troubleshooting skills—one of the most sought after skills in IT. This chapter reviews network documentation, general troubleshooting methods, and tools.

instructor.indb 223

3/12/14 7:51 AM

224


Troubleshooting with a Systematic Approach Documentation is the starting point and is a crucial factor in the success of any troubleshooting effort. With documentation in hand, a network administrator can choose a troubleshooting method, isolate the problem, and implement a solution.

Network Documentation List three types of documentation a network administrator should have to effectively troubleshoot issues. Configuration files Physical and logical topology diagrams Baseline performance measurements List at least four pieces of information that could be included in a network device’s configuration documentation. Type of device, model designation IOS image name Device network hostname Location of the device (building, floor, room, rack, panel) Module types and in which module slot they are located Data link layer addresses Network layer addresses List at least four pieces of information that could be included in an end system’s configuration documentation. Device name (purpose) Operating system and version MAC addresses IPv4 and IPv6 addresses Subnet mask and prefix length Default gateway, DNS server, and WINS server addresses Any high-bandwidth network applications that the end system runs In Table 18-1, indicate whether the feature is part of a physical topology document or logical topology document.

instructor.indb 224

3/12/14 7:51 AM

Chapter 18: Troubleshooting the Network

Table 18-1

225

Physical and Logical Topology Features

Feature

Physical Topology

Logical Topology

WAN technologies used

X

Interface identifiers

X

Connector type

X

Device identifiers or names

X

Cable specification

X

Operating system version

X

Cabling endpoints

X

Device type

X

Data-link protocols

X

DLCI for virtual circuits

X

Site-to-site VPNs

X

Static routes

X

Cable type and identifier

X

Routing protocols

X

Connection type

X

IP address and prefix lengths

X

Model and manufacturer

X

As you learned in Chapter 17, “Monitoring the Network,” the purpose of network monitoring is to watch network performance in comparison to a predetermined baseline. What is the minimum duration for capturing data to establish a baseline? 7 days When is the best time to establish a baseline of network performance? During the hours when the network is used the most In Table 18-2, indicate which statements describe benefits of establishing a network baseline. Table 18-2

Benefits of Establishing a Network Baseline

Statements

Benefit

Enable fast transport services between campuses Investigate if the network can meet the identified policies and use requirements

X X

Combine two hierarchical design layers

instructor.indb 225

Not a Benefit

X

Locate areas of the network that are most heavily used

X

Identify the parts of the network that are least used

X

Identify where the most errors occur

X

Establish the traffic patterns and loads for a normal or average day

X

3/12/14 7:51 AM

226


When documenting the network, it is often necessary to gather information directly from routers and switches using a variety of show commands. Match the information gathered on the left with the show command on the right. Information Gathered

Command

a. Contents of the address resolution table

e. show ip route

b. Uptime and information about device soft-

a. show arp

ware and hardware c. Detailed settings and status for device inter-

faces d. Summary of the NetFlow accounting statistics e. Contents of the routing table f. Summarized table of the up/down status of all

device interfaces

g. show vlan f. show ip interface brief h. show running-config b. show version c. show interface d. show ip cache flow

g. Summary of VLANs and access ports on a

switch h. Current configuration of the device

instructor.indb 226

3/12/14 7:51 AM



227

Packet Tracer - Troubleshooting Challenge - Documenting the Network (CN 9.1.1.8)

Troubleshooting Process and Methodologies All troubleshooting methodologies have four stages they share in common: three stages to find and solve the problem and a final important stage after the problem is resolved. In Figure 18-1, label the four major stages in the troubleshooting process. Figure 18-1

Major Troubleshooting Stages

Stage 1:

Stage 2:

Stage 3:

No

Yes

Problem Fixed?

If it did not fix the problem or if it created another problem, undo corrective action and start again.

Stage 4:

Figure 18-1a Major Troubleshooting Stages (answer)

Stage 1: Gather Symptoms

Stage 2: Isolate the Problem

Stage 3: Implement Corrective Action

No

If it did not fix the problem or if it created another problem, undo corrective action and start again.

instructor.indb 227

Problem Fixed?

Yes

Stage 4: Document solution and save changes.

3/12/14 7:51 AM

228


Note: The Academy curriculum does not label the last stage as Stage 4. However, that is most likely an oversight. Stage 4 is indeed the final and arguably most important stage.

The gathering symptoms stage can be broken into five steps:

instructor.indb 228

Step 1.

Gather information

Step 2.

Determine ownership

Step 3.

Narrow the scope

Step 4.

Gather symptoms from suspect devices

Step 5.

Document symptoms

3/12/14 7:51 AM


229

In Step 1, you will most likely use a variety of commands to progress through the process of gathering symptoms. In the following activity, match the information gathered with the testing command. Information Gathered a. Displays a summary status of all the IP

Version 6 interfaces on a device b. Shows the path a packet takes through the

networks c. Displays the IP version 6 routing table d. Connects remotely to a device by IP address

or URL e. Offers a list of options for real-time diagnos-

tics

Testing Command h. show running-config e. debug ? b. traceroute a. show ipv6 interface brief f. show protocols c. show ipv6 route g. ping d. telnet

f. Shows global and interface specific status of

Layer 3 protocols g. Sends an echo request to an address and waits

for a reply h. Shows the current configuration of the device

instructor.indb 229

3/12/14 7:51 AM

230


In Table 18-3, identify the troubleshooting methodology described by each statement. Table 18-3

Troubleshooting Methodologies

Statements

Disadvantage is it requires you to check every device and interface

Bottom Up

Top Down

Divide Conquer

Spot the Difference

Move the Problem

X

Begins at the OSI application layer

X

Use an experienced troubleshooting guess to investigate a possible cause

X

Used for problems that likely involve software settings

X

Compare a working and nonworking situation while looking for the significant differences

X

Use when suspected problem is cabling or device failure

X

Begins at the OSI physical layer

X

Swap the problematic device with a knownworking device

X

Start with an informed guess for which OSI layer to begin troubleshooting Disadvantage is it requires you to check every network application

Shoot from the Hip

X

X

Network Troubleshooting Effective troubleshooting requires good tools and systematic approaches. The section reviews some of the tools used in today’s networks and some specific troubleshooting symptoms at various OSI layers.

instructor.indb 230

3/12/14 7:51 AM


231

Troubleshooting Tools A wide variety of software and hardware tools is available to make troubleshooting easier. You can use these tools to gather and analyze symptoms of network problems. Match the description on the left with the tool on the right. Description a. Online repositories of experience-based infor-

mation b. Discovers VLAN configuration, average and

peak bandwidth utilization using a portable device c. Tools that document tasks, draw network

diagrams, and establish network performance statistics d. Measures electrical values of voltage, current,

and resistance e. Tests data communication cabling for broken

Software and Hardware Tools h. Host-based protocol analyzer e. Cable tester b. Portable network analyzer c. Baseline establishment tool j. Cable analyzer i. Network Management System Tool f. Cisco IOS Embedded Packet Capture a. Knowledge Base g. Network Analysis Module d. Digital multimeter

wires, crossed wiring, and shorted connections f. Powerful troubleshooting and tracing tool that

provides traffic tracking as it flows through a router g. Provides a graphical representation of traffic

from local and remote switches and routers h. Analyzes network traffic, specifically source

and destination frames i. Includes device-level monitoring, configura-

tion, and fault management j. Tests and certifies copper and fiber cables for

different services and standards via a handheld device

instructor.indb 231

3/12/14 7:51 AM

232


Network Troubleshooting and IP Connectivity A network administrator should be able to quickly isolate the OSI layer where an issue is most likely located. In Table 18-4, indicate the most likely layer associated with each issue. Table 18-4

Isolating the OSI Layer Where an Issue Resides

Network Problems and Issues

OSI Layers 1

2

A computer is configured with the wrong default gateway.

3

4

X

The DNS server is not configured with the correct A records. Traffic is congested on a low capacity link and frames are lost.

X X

STP loops and route flapping are generating a broadcast storm. A cable was damaged during a recent equipment install.

X X

ACLs are misconfigured and blocking all web traffic.

X

SSH error messages display unknown/untrusted certificates. The show processes cpu command displays usage way beyond the baseline.

X X

A VPN connection is not working correctly across a NAT boundary.

X

A static route is sending packets to the wrong router.

X

The routing table is missing routes and has unknown networks listed.

X

On a PPP link, one side is using the default Cisco encapsulation. SNMP messages are unable to traverse NAT.

5, 6, and 7

X X

Knowing which command to use to gather the necessary information for troubleshooting is crucial to effectively and efficiently resolving problems. All the commands you have mastered over the course of your CCNA studies are part of your troubleshooting toolkit. This next exercise only highlights a few.

instructor.indb 232

3/12/14 7:51 AM


233

Match the command output on the left with the command on the right. Command Output a. Displays all known destinations on a Windows

PC b. Displays all known IPv6 destinations on a

router c. Can be used to verify the transport layer d. Clears the MAC to IP address table on a PC e. Displays the MAC to IP address table for other

IPv6 devices f. Displays the known MAC addresses on a

Command e. show ipv6 neighbors h. ipconfig b. show ipv6 route c. telnet f. show mac address-table d. arp -d a. route print g. show interfaces

switch g. Displays input and output queue drops h. Displays the IP addressing information on a

Windows PC

instructor.indb 233

3/12/14 7:51 AM

234


Note: No book or study guide will effectively teach you how to troubleshoot networks. To get proficient at it, you must practice troubleshooting on lab equipment and simulators. This practice works best with a partner or a team because (1) you can collaborate together to resolve issues and (2) you can swap roles, taking turns breaking the network while the other person or team resolves the issue. For those readers with access to the Academy curriculum, the Packet Tracer activities in this chapter are great resources for just such practice sessions with your team. But you also know enough now that you can create your own troubleshooting scenarios to try out on each other. There is no doubt that you will be asked to troubleshoot several issues on the CCNA exam. So, practice as much as you can now in preparation for the test. You might be surprised how fun and rewarding it can be. Packet Tracer Activity

Packet Tracer - Troubleshooting Enterprise Networks 1 (CN 9.2.3.12) Packet Tracer - Troubleshooting Enterprise Networks 2 (CN 9.2.3.13) Packet Tracer - Troubleshooting Enterprise Networks 3 (CN 9.2.3.14) Packet Tracer - Troubleshooting Challenge - Using Documentation to Solve Issues (CN 9.2.3.15) Packet Tracer - CCNA Skills Integration Challenge (CN 9.3.1.2)

instructor.indb 234

3/12/14 7:51 AM

instructor.indb 235

3/12/14 7:51 AM

instructor.indb 236

3/12/14 7:51 AM

CCNA Routing and Switching: Scaling Networks Practice and Study Guide ICND2 200-101 (Instructor's Version)

Recommend Documents